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Abstract 


The FLP result shows that crash-tolerant consensus is impossible to solve in asynchronous 
systems, and several solutions have been proposed for crash-tolerant consensus under alterna¬ 
tive (stronger) models. One popular approach is to augment the asynchronous system with 
appropriate failure detectors, which provide (potentially unreliable) information about process 
crashes in the system, to circumvent the FLP impossibility. 

In this paper, we demonstrate the exact mechanism by which (sufficiently powerful) asyn¬ 
chronous failure detectors enable solving crash-tolerant consensus. Our approach, which borrows 
arguments from the FLP impossibility proof and the famous result from [5], which shows that 
O is a weakest failure detector to solve consensus, also yields a natural proof to O as a weakest 
asynchronous failure detector to solve consensus. The use of I/O automata theory in our ap¬ 
proach enables us to model execution in a more detailed fashion than [2] and also addresses the 
latent assumptions and assertions in the original result in [2]. 

1 Introduction 

In OE] we introduced a new formulation of failure detectors. Unlike the traditional failure detectors 
of [31 [2], ours are modeled as asynchronous automata, and defined in terms of the general I/O 
automata framework for asynchronous concurrent systems. To distinguish our failure detectors 
from the traditional ones, we called ours “Asynchronous Failure Detectors (AFDs)”. 

In terms of our model, we presented many of the standard results of the field and some new 
results. Our model narrowed the scope of failure detectors sufficiently so that AFDs satisfy several 
desirable properties, which are not true of the general class of traditional failure detector. For 
example, (1) AFDs are self-implementable; (2) if an AFD D' is strictly stronger than another AFD 
D, then D' is sufficient to solve a strict superset of the problems solvable by D. See [6] for details. 
Working entirely within an asynchronous framework allowed us to take advantage of the general 
results about I/O automata and to prove our results rigorously without too much difficulty. 

In this paper, we investigate the role of asynchronous failure detectors in circumventing the im¬ 
possibility of crash-tolerant consensus in asynchronous systems (FLP) [7|. Specifically, we demon¬ 
strate exactly how sufficiently strong AFDs circumvent the FLP impossibility. We borrow ideas 
from the important related result by Chandra, Hadzilacos, and Toueg [2j that says that the failure 
detector D is a “Weakest Failure Detector” that solves the consensus problem. Incidentally, the 
proof in |2] make certain implicit assumptions and assertions which are entirely reasonable and true, 
respectively. However, for the purpose of rigor, it is desirable that these assumptions be explicit 
and these assertions be proved. Our demonstration of how sufficiently strong AFDs circumvent 
FLP dovetails effortlessly with an analogous proof of “weakest AFD” for consensus. 

*The author is currently affiliated with Google Inc. 
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While our proof generally follows the proof in [2], we state the (implicit) assumptions and 
assertions from [2] explicitly. Since our framework is entirely asynchronous and all our definitions 
are based on an established concurrency theory foundation, we are able to provide rigorous proofs 
for the (unproven) assertions from [2]. In order to prove the main result of this paper, we modified 
certain definitions from [6] . However, these modifications do not invalidate any of the results from 

um- 

The rest of this paper is organized as follows. Section outlines the approach that we use in 
this paper and its major contributions. In section we compare our proof with the original CHT 
proof in [2]. Sections through introduce I/O automata and the definitions of a problem, of 
an asynchronous system, and of AFDs; much of the material is summarized from mM- Section 
[^introduces the notion of observations of AFD behavior, which are a key part of showing that O 
is a weakest AFD to solve consensus; this section proves several useful properties of observations 
which are central to the understanding of the proof and are a contribution of our work. In Section 
we introduce execution trees for any asynchronous system that uses an AFD; we construct such 
trees from observations introduced in Section We also prove several properties of such execution 
trees, which may be of independent interest and useful in analysis of executions in any AFD-based 
system. In Section [Tol we formally define the consensus problem and use the notions of observations 
and execution trees to demonstrate how sufficiently strong AFDs enable asynchronous systems to 


circumvent the impossibility of fault tolerant consensus in asynchronous systems [7]; Section 10 


defines and uses decision gadgets in an execution tree to demonstrate this; it also shows that the 
set of such decision gadgets is countable, and therefore, any such execution tree contains a “first” 
decision gadget. Furthermore, Section IT also shows that each decision gadget is associated with 
a location that is live and never crashes; we call it the critical location of the decision gadget. 
In Section [H we show that D is a weakest AFD to solve consensus by presenting a distributed 
algorithm that simulates the output of D. The algorithm constructs observations and execution 
trees, and it eventually identifies the “first” decision gadget and its corresponding critical location; 
the algorithm outputs this critical location as the output of the simulated D AFD, thus showing 
that D is a weakest AFD for consensus. 


2 Approach and contributions 

To demonstrate our results, we start with a complete definition of asynchronous systems and AFDs. 
Here, we modified the definitions of AFD from 13 E], but we did so without invalidating earlier 
results. We argue that the resulting definition of AFDs is more natural and models a richer class 
of behaviors in crash-prone asynchronous systems. Next, we introduce the notion of observations 
of AFD behavior (Section j^, which are DAGs that model a partial ordering AFD outputs are 
different processes; importantly, the knowledge of this partial order can be gained by any process 
through asynchronous message passing alone. Observations as a tool for modeling AFD behavior 
is of independent interest, and we prove several important properties of observations that are used 
in our later results. 

From such observations, we construct trees of executions of arbitrary AFD-based systems; again, 
such trees are of independent interest, and we prove several important properties of such trees that 
are used later. 

Next, we define the consensus problem and the notion valence. Roughly speaking, a finite 
execution of a system is univalent if all its fair extensions result in the same decision value and 
the execution is bivalent if some fair extension results in a decision value 1 and another fair ex¬ 
tension results in a decision value 0. We present our first important result using observations and 
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execution trees; we show that a sufficiently powerful AFD guarantees that in the execution tree 
constructed from any observation of AFD outputs, the events responsible for the transition 

from a bivalent execution to a univalent execution must occur at location that does not crash. Such 
transitions to univalent executions correspond to so-called “decision gadgets”, and the live location 
corresponding to such transitions is called the “critical location” of the decision gadgets. 

Next, we use the aforementioned result to show that n is a weakest AFD to solve consensus. 
In order to do so, we first define a metric function that orders all the decision gadgets. This 
metric function satisfies an important stability property which guarantees the following. Given the 
decision gadget with the smallest metric value in a given infinite execution tree, for any sufficiently 
large, but finite, subtree, the same decision gadget will have the smallest metric value within that 
subtree. Note that the original proof in [2] did not provide such a metric function, and we contend 
that this is an essential compoenent for completing this proof. We then construct an emulation 
algorithm (similar to the one in [2]) that uses an AFD sufficiently powerful to solve consensus 
and simulates the output of D. In this algorithm processes exchange AFD outputs and construct 
finite observations and corresponding finite execution trees. The aforementioned stability property 
ensures that eventually forever, each process that does not crash identifies the same decision gadget 
as the one with the smallest metric value. Recall that the critical location of any decision gadget is 
guaranteed to not crash. Therefore, eventually forever, each process that does not crash identifies 
the same correct process and outputs that correct process as the output of the simulated D AFD. 

3 Comparisons with the original CHT proof 

Our proof has elements that are very similar to the the original CHT proof from [2]. However, 
despite the similarity in our arguments, our proof deviates from the CHT proof in some subtle, but 
significant ways. 

3.1 Observations 

In [2], the authors introduce DAGs with special properties that model the outputs of a failure 
detector at different processes and establishes partial ordering of these outputs. In our proof, the 
analogous structure is an observation (See Section]^. However, our notion of an observation is 
much more general than the DAG introduced in [2]. 

First, the DAG in [2] is an infinite graph and cannot model failure detector outputs in finite 
executions. In contrast, observations may be finite or infinite. Second, we also introduce the 
notion of a sequence of finite observations that can be constructed from progressively longer finite 
executions that enable us to model the evolution of observations and execution trees as failure 
detector outputs become available. Such detailed modeling and analysis does not appear in [2]. 

3.2 Execution trees 

In [2], each possible input to consensus gives rise to a unique execution tree from the DAG. Thus, 
for n processes, there are 2” possible trees that constitute a forest a trees. In contrast, our proof 
constructs exactly one tree that models the executions of all possible inputs to consensus. This 
change is not merely cosmetic. It simplifies analysis and makes the proof technique more general 
in the following sense. 

The original proof in [2] cannot be extended to understanding long-lived problems such as 
iterative consensus or mutual exclusion. The simple reason for this is that the number of possible 

^Informally, an observation is viable if it can be constructed from an AFD trace. 
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inputs for such problems can be uncountably infinite, and so the number of trees generated by 
the proof technique in [2] is also uncountably infinite. This introduces significant challenges in 
extracting any structures within these trees by a distributed algorithm. In contrast, in our approach, 
the execution tree will remain virtually the same; only the rules for determining the action tag values 
at various edges change. 

3.3 Determining the “first” decision gadget 

In [2] and in our proof, a significant result is that there are infinite, but countable number of 
decision gadgets, and therefore there exists a unique enumeration of the decision gadgets such that 
one of them is the “first” one. This result is then used in [2] to claim that all the emulation 
algorithms converge to the same decision gadget. However, [2] does not provide any proof of this 
claim. Furthermore, we show that this proving this claim in non-trivial. 

The significant gap in the original proof in [2] is the following. During the emulation, each 
process constructs only finite DAGs, that are subgraphs of some infinite DAG with the required 
special properties. However, since the DAGs are finite, the trees of executions constructed from 
this DAG could incorrectly detect certain parts of the trees as being decision gadgets, when in the 
execution tree of the infinite DAG, these are not decision gadgets. Each such pseudo decision gadget, 
is eventually deemed to not be a decision gadget, as the emulation progresses. However, there can 
be infinitely many such pseudo gadgets. Thus, given any arbitrary enumeration of decision gadgets, 
it is possible that such pseudo decision gadgets appears infinitely often, and are enumerated ahead 
of the “first” decision gadget. Consequently, the emulation never stabilizes to the first decision 
gadget. 

In our proof, we address is gap by carefully defining metric functions for nodes and decision 
gadgets so that eventually, all the pseudo decision gadgets are ordered after the eventual “first” 
decision gadget. 

4 I/O Automata 

We use the I/O Automata framework [8l[9l[T0] for specifying the system model and failure detectors. 
Briefly, an I/O automaton models a component of a distributed system as a (possibly infinite) state 
machine that interacts with other state machines through discrete actions. This section summarizes 
the I/O-Automata-related definitions that we use in this paper. See [ini Chapter 8] for a thorough 
description of I/O Automata. 

4.1 Automata Definitions 

An I/O automaton, which we will usually refer to as simply an “automaton”, consists of five 
components: a signature, a set of states, a set of initial states, a state-transition relation, and a set 
of tasks. We describe these components next. 

Actions, Signature, and Tasks. The state transitions of an automaton are associated with 
named actions] we denote the set of actions of an automaton A by act{A). Actions are classified 
as input, output, or internal, and this classification constitutes the signature of the automaton. We 
denote the sets of input, output, and internal actions of an automaton A by input{A), output{A), 
and internal{A), respectively. Input and output actions are collectively called the external actions, 
denoted external{A), and output and internal actions are collectively called the locally controlled 
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actions. The locally controlled actions of an automaton are partitioned into tasks. Tasks are used 
in defining fairness conditions on executions of the automaton, as we describe in Section [4.4[ 

Internal actions of an automaton are local to the automaton itself whereas external (input and 
output) actions are available for interaction with other automata. Locally controlled actions are 
initiated by the automaton itself, whereas input actions simply arrive at the automaton from the 
outside, without any control by the automaton. 

States. The states of an automaton A are denoted by states{A)] some (non-empty) subset 
init{A) C states{A) is designated as the set of initial states. 

Transition Relation. The state transitions of an automaton A are defined by a state-transition 
relation trans{A), which is a set of tuples of the form (s,a, s') where s, s' G states{A) and a G 
act{A). Each such tuple (s,a, s') is a transition, or a step, of A. Informally speaking, each step 
(s, a, s') denotes the following behavior: automaton A, in state s, performs action a and changes 
its state to s'. 

For a given state s and action a, if trans{A) contains some step of the form (s,a, s'), then a 
is said to be enabled in s. We assume that every input action in A is enabled in every state of A] 
that is, for every input action a and every state s, trans{A) contains a step of the form (s, a, s'). A 
task C, which is a set of locally controlled actions, is said to be enabled in a state s iff some action 
in C is enabled in s. 

Deterministic Automata. The general definition of an I/O automaton permits multiple locally 
controlled actions to be enabled in any given state. It also allows the resulting state after performing 
a given action to be chosen nondeterministically. For our purposes, it is convenient to consider a 
class of I/O automata whose behavior is more restricted. 

We define an action a (of an automaton A) to be deterministic provided that, for every state 
s, trans{A) contains at most one transition of the form (s, a, s'). We define an automaton A to be 
task deterministic iff (1) for every task C and every state s of A, at most one action in C is enabled 
in s, and (2) all the actions in A are deterministic. An automaton is said to be deterministic iff it 
is task deterministic, has exactly one task, and has a unique start state. 

4.2 Executions, Traces, and Schedules 

Now we define how an automaton executes. An execution fragment of an automaton A is a finite 
sequence SQ,ai,si,a 2 ,... ,Sk—i,ak,Sk, or an infinite sequence so,ai,si,a 2 ,... ,Sk—i,ak,Sk,..., of 
alternating states and actions of A such that for every k > 0, {sk, ak+i, Sk+i) is in trans{A). A 
sequence consisting of just a state is a special case of an execution fragment and is called a null 
execution fragment. Each occurrence of an action in an execution fragment is called an event. 

An execution fragment that starts with an initial state (that is, sq G init{A)) is called an 
execution. A null execution fragment consisting of an initial state is called a null execution. A state 
s is said to be reachable if there exists a finite execution that ends with s. By definition, any initial 
state is reachable. 

We define concatenation of execution fragments. Let ai and a 2 be two execution fragments of 
an I/O automaton such that ai is finite and the final state of ai is also the starting state of a 2 , and 
let a '2 denote the sequence obtained by deleting the first state in 02 - Then the expression ai ■ 02 
denotes the execution fragment formed by appending a '2 after ai. 

It is sometimes useful to consider just the sequence of events that occur in an execution, ignoring 
the states. Thus, given an execution a, the schedule of a is the subsequence of a that consists of all 
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the events in a, both internal and external. The trace of an execution includes only the externally 
observable behavior; formally, the trace t of an execution a is the subsequence of a consisting of 
all the external actions. 

More generally, we dehne the projection of any sequence on a set of actions as follows. Given 
a sequence t (which may be an execution fragment, schedule, or trace) and a set B of actions, the 
projection of t on B, denoted by t\B, is the subsequence of t consisting of all the events from B. 

We define concatenation of schedules and traces. Let ti and t 2 be two sequences of actions of 
some I/O automaton where ti is finite; then ti ■ t 2 denotes the sequence formed by appending t 2 
after ti. 

To designate specific events in a schedule or trace, we use the following notation: if a sequence 
t (which may be a schedule or a trace) contains at least x events, then t[x] denotes the event 
in the sequence t, and otherwise, t[x] = T. Here, T is a special symbol that we assume is different 
from the names of all actions. 

4.3 Operations on I/O Automata 

Composition. A collection of I/O automata may be composed by matching output actions of 
some automata with the same-named input actions of others]^ Each output of an automaton may 
be matched with inputs of any number of other automata. Upon composition, all the actions with 
the same name are performed together. 

Let a = So, oi, si, 02 ,... be an execution of the composition of automata Ai,..., A^r. The 
projection of a on automaton Aj, where i G [IjAi], is denoted by a\Ai and is defined to be the 
subsequence of a obtained by deleting each pair Ofc, Sfc for which Ofc is not an action of Aj and 
replacing each remaining state s^ by automaton Aj’s part of s^. Theorem 8.1 in m states that if 
a is an execution of the composition Ai,..., A^v, then for each i G [1, A], a|Aj is an execution of 
Aj. Similarly, if t is a trace of of Ai,..., Ajv, then for each i, t\Ai is an trace of Aj. 

Hiding. In an automaton A, an output action may be “hidden” by reclassifying it as an internal 
action. A hidden action no longer appears in the traces of the automaton. 

4.4 Fairness 

When considering executions of an I/O automaton, we will often be interested in those executions in 
which every task of the automaton gets infinitely many turns to take steps; we call such executions 
“fair”. When the automaton represents a distributed systems, the notion of fairness can be used 
to express the idea that all system components continue to get turns to perform their activities. 

Formally, an execution fragment a of an automaton A is said to be fair iff the following two 
conditions hold for every task C in A. (1) If a is hnite, then no action in C is enabled in the final 
state of a. (2) If a is infinite, then either (a) a contains infinitely many events from C, or (b) a 
contains infinitely many occurrences of states in which C is not enabled. 

A schedule cr of A is said to be fair if it is the schedule of a fair execution of A. Similarly, a 
trace t of A is said to be fair if it is the trace of a fair execution of A. 

^Not all collections of I/O automata may be composed. For instance, in order to compose a collection of I/O 
automata, we require that no two automata have a common output action. See uni chapter 8] for details. 
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5 Crash Problems 


In this section, we define problems, distributed problems, crash problems, and failure-detector 
problems. We also define a particular failure-detector problem corresponding to the leader election 
oracle O of [2]. 

5.1 Problems 

We define a problem P to be a tuple {Ip, Op, Tp), where Ip and Op are disjoint sets of actions and 
Tp is a set of (finite or infinite) sequences over these actions such that there exists an automaton 
A where input{A) = Ip, output{A) = Op, and the set of fair traces of ^ is a subset of Tp. In this 
case we state that A solves P. We include the aforementioned assumption of solvability to satisfy 
a non-triviality property, which we explain in Section 

Distributed Problems. Here and for the rest of the paper, we introduce a fixed finite set H of 
n location IDs; we assume that H does not contain the special symbol _L. We assume a fixed total 
ordering <n on H. We also assume a fixed mapping loc from actions to H U {-L}; for an action a, 
if loc{a) = i G n, then we say that a occurs at i. A problem P is said to be distributed over H if, 
for every action a G IpU Op, loc{a) G H. We extend the definition of loc by defining /oc(_L) = _L. 

Given a problem P that is distributed over H, and a location z G H, Ip^i and Op^i denote the set of 
actions in Ip and Op, respectively, that occur at location i] that is, Ip^i = {a| (a G Ip) A {loc{a) = i)} 
and Op^i = {a|(a G Op) A {loc{a) = i)}. 

Crash Problems. We assume a set I = {crashi\i G H} of crash events, where loc{crashi) = i. 
That is, crashi represents a crash that occurs at location i. A problem P = {Ip,Op,Tp) that is 
distributed over H is said to be a crash problem iff I Pip. That is, crashi G Ip^i for every z G H. 

Given a (finite or infinite) sequence t G Tp, faulty{t) denotes the set of locations at which a 
crash event occurs in t. Similarly, live{t) = H \ faulty{t) denotes the set of locations at which a 
crash event does not occur in t. A location in faulty{t) is said to be faulty in t, and a location in 
live{t) is said to be live in t. 

5.2 Failure-Detector Problems 

Recall that a failure detector is an oracle that provides information about crash failures. In our 
modeling framework, we view a failure detector as a special type of crash problem. A necessary 
condition for a crash problem P = {Ip,Op,Tp) to be an asynchronous failure detector (AFD) 
is crash exclusivity, which states that Ip = I', that is, the actions Ip are exactly the crash ac¬ 
tions. Grash exclusivity guarantees that the only inputs to a failure detector are the crash events, 
and hence, failure detectors provide information only about crashes. An AFD must also satisfy 
additional properties, which we describe next. 

Let D = {I,Od,Tp)) be a crash problem satisfying crash exclusivity. We begin by defining a 
few terms that will be used in the definition of an AFD. Let t be an arbitrary sequence over lU Op. 

Valid sequence. The sequence t is said to be valid iff (1) for every i G H, no event in Op^i (the 
set of actions in Op at location i) occurs after a crashi event in t, and (2) if no crashi event occurs 
in t, then t contains infinitely many events in Op^j. 

Thus, a valid sequence contains no output events at a location i after a crashi event, and 
contains infinitely many output events at each live location. 
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Sampling. A sequence t' is a sampling of t iff (1) t' is a subsequence of t, (2) for every location 
i G n, (a) if i is live in t, then ^ = t|oo i) and (b) if i is faulty in t, then t' contains the first 
crashi event in t, and , is a prefix of j. 

A sampling of sequence t retains all events at live locations. For each faulty location i, it may 

remove a suffix of the outputs at location i. It may also remove some crash events, but must retain 
the first crash event. 

Constrained Reordering. Let t' be a valid permutation of events in t; is a constrained 
reordering of t iff the following is true. For every pair of events e and e', if (1) e precedes e' in t, 

and (2) either (a) e, e' G Od and loc{e) = loc{e'), or (b) e G / and e' G 0_d, then e precedes e' in t' 

as we 110 

A constrained reordering of sequence t maintains the relative ordering of events that occur at 
the same location and maintains the relative order between any crash event and any subsequent 
event. 

Crash Extension. Assume that t is a finite sequence. A crash extension of t is a (possibly 
infinite) sequence t' such that t is a prefix of and the suffix of following t is a sequence over I. 
In other words, a crash extension of t is obtained by extending t with crash events. 

Extra Crashes. An extra crash event in t is a crashi event in t, for some i, such that t contains 
a preceding crashi. 

An extra crash is a crash event at a location that has already crashed. 

Minimal-Crash Sequence. Let mincrash[t) denote the subsequence of t that contains all the 
events in t, except for the extra crashes; mincrash{t) is called the minimal-crash sequence of t. 

Asynchronous Failure Detector. Now we are ready to dehne asynchronous failure detectors. 
A crash problem of the form D = (I,Od,Td) (which satisfies crash exclusivity) is an asynehronous 
failure detector (AFD, for short) iff D satisfies the following properties. 

1. Validity. Every sequence t € Td is valid. 

2. Closure Under Sampling. For every sequence t G T/j, every sampling of t is also in To. 

3. Closure Under Constrained Reordering. For every sequence t G To, every constrained 
reordering t is also in To. 

4. Closure Under Crash Extension. For every sequence t G To, for every prefix tpre of t, 
for every crash extension t' of tpre, the following are true, (a) If t' is finite, then t' is a prehx 
of some sequence in To. (b) If faulty{t') = 11, then t' is in Tjj. 

5. Closure Under Extra Crashes. For every sequence t G T^, every sequence f such that 
mincrash{t) = mincrash{t') is also in To- 

^Note that the definition of constrained reordering is less restrictive than the definition in 13 E]; specifically, 
unlike in 13 E], this definition allow crashes to be reordered with respect to each other. However, this definition is 
“compatible” with the earlier definition in the sense that the results presented in Eli continue to be true under this 
new definition. 



Of the properties given here, the first three—validity and closure under sampling and con¬ 
strained reordering—were also used in our earlier papers 13 E]. The other two closure properties— 
closure under crash extension and extra crashes—are new here. 

A brief motivation for the above properties is in order. The validity property ensures that (1) 
after a location crashes, no outputs occur at that location, and (2) if a location does not crash, 
outputs occur infinitely often at that location. Closure under sampling permits a failure detector 
to “skip” or “miss” any suffix of outputs at a faulty location. Closure under constrained reordering 
permits “delaying” output events at any location. Closure under crash extension permits a crash 
event to occur at any time. Finally, closure under extra crashes captures the notion that once a 
location is crashed, the occurrence of additional crash events (or lack thereof) at that location has 
no effect. 

We define one additional constraint, below. This contraint is a formalization of an implicit 
assumption made in [2]; namely, for any AFD D, any “sampling” (as dehned in 0) of a failure 
detector sequence in To is also in To. 

Strong-Sampling AFDs. Let D be an AFD, t G T^. A subsequence t' of t is said to be a strong 
sampling of t if t' is a valid sequence. AFD D is said to satisfy closure under strong sampling if, 
for every trace t £ Tu, every strong sampling of t is also in Tjo- Any AFD that satisfies closure 
under strong sampling is said to be a strong-sampling AFD. 

Although the set of strong-sampling AFDs are a strict subset of all AFDs, we conjecture that 
restricting our discussion to strong sampling AFDs does not weaken our result. Specifically, we 
assert without proof that for any AFD D, we can construct an “equivalent” strong-sampling AFD 
D'. This notion of equivalence is formally discussed in Section 


5.3 The Leader Election Oracle. 

An example of a strong-sampling AFD is the leader election oracle D [2]- Informally speaking, D 
continually outputs a location ID at each live location; eventually and permanently, D outputs the 
ID of a unique live location at all the live locations. The D failure detector was shown in [2] to be 
a “weakest” failure detector to solve crash-tolerant consensus, in a certain sense. We will present 
a version of this proof in this paper. 

We specify our version of D = (I, Oq, Tq) as follows. The action set On = UjgnOn,i, where, for 
each i G n, On^j = {FD-Q{j)i\j G 11}. Tq is the set of all valid sequences t over I U On that satisfy 
the following property: if live{t) / 0, then there exists a location I G live{t) and a suffix tsuff of t 
such that tsufflon is a sequence over the set {FD-Q{l)i\i G live{t)}. 

Algorithm shows an automaton whose set of fair traces is a subset of Tn; it follows that D 
satishes our formal definition of a “problem”. It is easy to see that D = (/, On,Tn) satishes all the 
properties of an AFD, and furthermore, note that D also satisfies closure under strong sampling. 
The proofs of these observations are left as an exercise. 


7.3 


AFD Qf. Here, we introduce Dj, where / < n is a natural number, as a generalization of D. 
In this paper, we will show that Dj- is a weakest strong-sampling AFD that solves fault-tolerant 
consensus if at most / locations are faulty. Informally speaking, Dj denotes the AFD that behaves 
exactly like D in traces that have at most / faulty locations. Thus, is the AFD D. 

Precisely, Qf = {I, Oq, Tq^), where Tq^ is the set of all valid sequences t over I U Oq such that, 
if \faulty{t)\ < /, then t £ Tq. This definition implies that Tq^ contains all the valid sequences 
over I U Oq such that \ faulty {t)\ > f. 

It is easy to see that Dj is a strong-sampling AFD. 
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Algorithm 1 Automaton that implements the n AFD 

The automaton FD-Q 

Signature: 

input crashi, i G 11 
output FD-Q.{j)i, i,j G n 
State variables: 

crashset, a subset of If, initially 0 
Transitions: 
input crashi 
effect 

crashset := crashset U {i} 

output FD-Q{j)i 
precondition 

{i ^ crashset) A {j = min(n \ crashset)) 
effect 
none 

Tasks: 

One task per location i G If defined as follows: 

{FD-n{j)i\j G n} 


6 System Model and Definitions 

We model an asynchronous system as the composition of a collection of I/O automata of the 
following kinds: process automata, channel automata, a crash automaton, and an environment au¬ 
tomaton. The external signature of each automaton and the interaction among them are described 
in Section 16.11 The behavior of these automata is described in Sections 16.21 — 16.51 
For the definitions that follow, we assume an alphabet AI of messages. 

6.1 System Structure 

A system contains a collection of process automata, one for each location in 11. We define the 
association with a mapping Proc, which maps each location f to a process automaton Proci. 
Automaton Proci has the following external signature. It has an input action crashi, which is an 
output from the crash automaton, a set of output actions {send{m, j)i\m £ Ai A j £ Il \ {i}}, and 
a set of input actions {receive{m, j)i\m £ A4 A j G 11 \ {i}}. A process automaton may also have 
other external actions with which it interacts with the external environment or a failure detector; 
the set of such actions may vary from one system to another. 

For every ordered pair {i,j) of distinct locations, the system contains a channel automaton Cij, 
which models the channel that transports messages from process Proci to process Procj. Channel 
Cij has the following external actions. The set of input actions input{Cij) is {send{m, j)i\m £ Ai}, 
which is a subset of outputs of the process automaton Proci. The set of output actions output{Cij) 
is {receive{m, i)j\m £ Ai}, which is a subset of inputs to Procj. 

The crash automaton C models the occurrence of crash failures in the system. Automaton C 
has I = {crashi\i £ 11} as its set of output actions, and no input actions. 

The environment automaton £ models the external world with which the distributed system 
interacts. The automaton T is a composition of n automata {£i\i £ 11}. For each location i, the set 
of input actions to automaton £i includes the action crashi. In addition, £i may have input and 
output actions corresponding (respectively) to any outputs and inputs of the process automaton 
Proci that do not match up with other automata in the system. 

We assume that, for every location i, every external action of Proci and £i, respectively, occurs 
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at i, that is, loc{a) = i for every external action a of Proci and £i. 

We provide some constraints on the structure of the various automata below. 


6.2 Process Automata 


The process automaton at location i, Proci, is an I/O automaton whose external signature satisfies 
the constraints given above, and that satisfies the following additional properties. 


1. Every internal action of Proci occurs at z, that is, loc{a) = i for every internal action a of 
Proci- We have already assumed that every external action of Proci occurs at i; now we are 
simply extending this requirement to the internal actions. 


2 . 

3. 


Automaton Proci is deterministic, as defined in Section 4.1 


When crashi occurs, it permanently disables all locally controlled actions of Proci. 


We define a distributed algorithm A to be a collection of process automata, one at each location; 
formally, it is simply a particular Proc mapping. For convenience, we will usually write Aj for the 
process automaton Proci. 


6.3 Channel Automata 

The channel automaton for i and j, Cjj, is an I/O automaton whose external signature is as 
described above. That is, Cij’s input actions are {send{m, j)i\m G At} and its output actions are 
{receive{m,i)j\m G Alj. 

Now we require Cjj- to be a specific I/O automaton—a reliable FIFO channel, as defined in [TO] . 
This automaton has no internal actions, and all its output actions are grouped into a single task. 
The state consists of a FIFO queue of messages, which is initially empty. A send input event can 
occur at any time. The effect of an event send{m, j)i is to add m to the end of the queue. When a 
message m is at the head of the queue, the output action receive{m, i)j is enabled, and the effect 
is to remove m from the head of the queue. Note that this automaton Cij is deterministic. 

6.4 Crash Automaton 

The crash automaton C is an I/O automaton with I = {crashi\i G 11} as its set of output actions, 
and no input actions. 

Now we require the following constraint on the behavior of C: Every sequence over / is a fair 
trace of the crash automaton. That is, any pattern of crashes is possible. For some of our results, 
we will consider restrictions on the number of locations that crash. 


6.5 Environment Automaton 


The environment automaton £ is an I/O automaton whose external signature satishes the 
straints described in Section 6.1 Recall that T is a composition of n automata {£i\i G 11}. 


each location i, the following is true. 


con- 

For 


1. £i has a unique initial state. 

2. £i has tasks Envi^x-, where x ranges over some fixed task index set Aj. 

3. £i is task-deterministic. 


II 




4. When crashi occurs, it permanently disables all locally controlled actions of £i. 

In addition, in some specific cases we will require the traces of £ to satisfy certain “well-formedness” 
restrictions, which will vary from one system to another. We will define these specifically when 
they are needed, later in the paper. 



Figure 1: Interaction diagram for a message-passing asynchronous distributed system augmented 
with a failure detector automaton. 


7 Solving Problems 

In this section we define what it means for a distributed algorithm to solve a crash problem in 
a particular environment. We also define what it means for a distributed algorithm to solve one 
problem P using another problem P'. Based on these definitions, we define what it means for an 
AFD to be sufficient to solve a problem. 

7.1 Solving a Crash Problem 

An automaton £ is said to be an environment for P if the input actions of £ are Op, and the 
output actions of £ are Ip\ P Thus, the environment’s inputs and outputs “match” those of the 
problem, except that the environment doesn’t provide the problem’s crash inputs. 

If £ is an environment for a crash problem P = {Ip, Op, Tp), then an I/O automaton U is said 
to solve P in environment £ provided that the following conditions hold: 

1. input{U) = Ip. 

2. output{U) = Op. 

3. The set of fair traces of the composition of U, £, and the crash automaton is a subset of Tp. 

A distributed algorithm A solves a crash problem P in an environment £ iff the automaton A, 
which is obtained by composing A with the channel automata, solves P in £. A crash problem P 
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is said to be solvable in an environment £ iff there exists a distributed algorithm A such that A 
solves P in £. If crash problem P is not solvable in environment £, then it is said to be unsolvable 
in £. 

7.2 Solving One Crash Problem Using Another 

Often, an unsolvable problem P may be solvable if the system contains an automaton that solves 
some other (unsolvable) crash problem P'. We describe the relationship between P and P' as 
follows. 

Let P = {Ip,Op,Tp) and P' = {Ipi,Op',Tp>) be two crash problems with disjoint sets of 
actions (except for crash actions). Let £ be an environment for P. Then a distributed algorithm 
A solves crash problem P using crash problem P' in environment £ iff the following are true: 

1. For each location i G IT, input{Ai) = output(Cj^i) U Ip^i U Op>^i. 

2. For each location i G IT, output{Ai) = ^P',i \ {crashi}. 

3. Let A be the composition of A with the channel automata, the crash automaton, and the 
environment automaton £. Then for every fair trace t of if t|/p,uOp/ ^ Tpi, then t\ip\jOp £ 
Tp. 

In effect, in any fair execution of the system, if the sequence of events associated with the 
problem P' is consistent with the specified behavior of P', then the sequence of events asso¬ 
ciated with problem P is consistent with the specified behavior of P. 

Note that requirement 3 is vacuous if for every fair trace t of A, t|/p,uOp/ ^ Tp/. However, in 
the definition of a problem P', the requirement that there exist some automaton whose set of fair 
traces is a subset of Tpi ensures that there are “sufficiently many” fair traces t of A, such that 

^|/p/UOp, e Tpi. 

We say that a crash problem P' = (Ip/, Op/, Tpi) is sufficient to solve a crash problem P = 
{Ip.Op,Tp) in environment T, denoted P' P iff there exists a distributed algorithm A that 
solves P using P' in £. If P' P, then also we say that P is solvable using P' in £. If no such 
distributed algorithm exists, then we state that P is unsolvable using P' in T, and we denote it as 

P' ts P- 


7.3 Using and Solving Failure-Detector Problems 

Since an AFD is simply a kind of crash problem, the definitions above automatically yield definitions 
for the following notions. 

1. A distributed algorithm A solves an AFD D in environment £. 

2. A distributed algorithm A solves a crash problem P using an AFD D in environment £. 

3. An AFD D is sufficient to solve a crash problem P in environment £. 

4. A distributed algorithm A solves an AFD D using a crash problem P in environment £. 

5. A crash problem P is sufficient to solve an AFD D in environment £. 

6. A distributed algorithm A solves an AFD D' using another AFD D. 

7. An AFD D is sufficient to solve an AFD Dh 
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Note that, when we talk about solving an AFD, the environment £ has no output actions 
because the AFD has no input actions except for /, which are inputs from the crash automaton. 
Therefore, we have the following lemma. 

Lemma 7.1. Let P be a crash problem and D an AFD. If P D in some environment £ (for 
D), then for any other environment £' for D, P p£i D. 

Consequently, when we refer to an AFD D being solvable using a crash problem (or an AFD) 
P, we omit the reference to the environment automaton and simply say that P is sufficient to solve 
D; we denote this relationship hy P P D. Similarly, when we say that an AFD D is unsolvable 
using P, we omit mention of the environment, and write simply P D. 

Finally, if an AFD D is sufficient to solve another AFD D' (notion 7 in the list above), then 
we say that D is stronger than D', and we denote this hy D P Dh D P D', but D' D, then 
we say that D is strictly stronger than D', and we denote this hy D >- D'. Also, \i D P D' and 
D' P D, then we say that D is equivalent to D'. 

We conjecture that for any AFD D, there exists a strong sampling AFD D' such that D is 
equivalent to D'] thus, if a non-strong-sampling AFD D is a weakest to solve consensus, then there 
must exist an equivalent AFD D' that is also a weakest to solve consensus. Therefore, it is sufficient 
to restrict our attention to strong-sampling AFDs. 


8 Observations 


In this section, fix D to be an AFD. We define the notion of an observation G of D and present 
properties of observations. Observations are a key part of the emulation algorithm used to prove 
the “weakest failure detector” result, in Section 11 


8.1 Definitions and Basic Properties 

An observation is a DAG G = (V,Z), where the set V of vertices consists of triples of the form 
V = (i, k, e) where i G 11 is a location, A; is a positive integer, and e is an action from Od,!, we refer 
to i, k, and e as the location, index, and action of v, respectively. Informally, a vertex v = {i, k, e) 
denotes that e is the /c-th AFD output at location i, and the observation represents a partial 
ordering of AFD outputs at various locations. We say that an observation G is finite iff the set V 
(and therefore the set Z) is finite; otherwise, G is said to be infinite. 

We require the set V to satisfy the following properties. 

1. For each location i and each positive integer k, V contains at most one vertex whose location 
is i and index is k. 

2. If V contains a vertex of the form {i, k, *) and k' < k, then V also contains a vertex of the 
form (i, k', *). 

Property 1 states that at each location i, for each positive integer k, there is at most one /c-th AFD 
output. Property 2 states that for any i and k, if the /c-th AFD output occurs at i, then the first 
(/c — 1) AFD outputs also occur at i. 

The set Z of edges imposes a partial ordering on the occurrence of AFD outputs. We assume 
that it satisfies the following properties. 

3. For every location i and natural number k, if V contains vertices of the form vi = (/, k, *) 
and V 2 = {i, k + 1,*), then Z contains an edge from vi to V 2 . 
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4. For every pair of distinct locations i and j such that V contains an infinite number of vertices 
whose location is j, the following is true. For each vertex vi in V whose location is i, there 
is a vertex V 2 in V whose location is j such that there is an edge from vi to V 2 in Z. 

5. For every triple vi, V 2 , V 3 of vertices such that Z contains both an edge from vi to V 2 and an 
edge from V2 to U 3 , Z also contains an edge from vi to V3. That is, the set of edges of G is 
closed under transitivity. 

Property 3 states that at each location i, the k-ih. output at i occurs before the {k + l)-st output at 
i. Property 4 states that for every pair of locations i and j such that infinitely many AFD outputs 
occur at j, for every AFD output event e at i there exists some AFD output event e' at j such that 
e occurs before e'. Property 5 is a transitive closure property that simply captures the notion that 
if event ei happens before event 62 and 62 happens before event 63 , then ei happens before 63 . 

Given an observation G = {V, Z), if V contains an infinite number of vertices of the form (z, *, *) 
for some particular i, then i is said to be live in G. We write live{G) for the set of all the locations 
that are live in G. 

Lemma 8.1. Let G = {V, Z) be an observation, i a location in live{G). Then for every positive 
integer k, V contains exactly one vertex of the form (i, k, =t=). 

Proof. Follows from Properties 1 and 2 of observations. □ 


Lemma 8.2. Let i and j be distinct locations with j G live{G). Let v be a vertex in V whose 
location is i. Then there exists a positive integer k such that for every positive integer k' > k, Z 
contains an edge from v to some vertex of the form (j, k', *). 


Proof. Follows from Lemma 8.1 


and Properties 3, 4, and 5 of observations. 


□ 


Lemma 8.3. Let i and j be distinct locations with j G live{G) and i ^ live{G); that is, V contains 
infinitely many vertices whose location is j and only finitely many vertices whose location is i. Then 
there exists a positive integer k such that for every k' >k, there is no edge from any vertex of the 
form (j, k', =t=) to any vertex whose location is i. 


Proof. Fix z and j as in the hypotheses. Let vi be the vertex in V whose location is z and whose 
index is the highest among all the vertices whose location is z. From Lemma 8.2 we know that 
there exists a positive integer k such that for every positive integer k' >k, Z contains an edge from 
vi to some vertex of the form (j, k', *). Since G is a DAG, there is no edge from any vertex of the 
form (j, k', *), k' > k to vi. Applying Properties 3 and 5 of observations, we conclude that there is 
no edge from any vertex of the form (j, k',*) to any vertex whose location is z. □ 


Lemma 8.4. Let G = {V, Z) be an observation. Every vertex v in V has only finitely many 
incoming edges in Z. 

Proof. For contradiction, assume that there exists a vertex v with infinitely many incoming edges, 
and let i be the location of v. Then there must be a location j ^ i such that there are infinitely 
many vertices whose location is j that have an outgoing edge to v. Fix such a location j. Note 
that j must be live in G. 

Since there are infinitely many vertices whose location is j, by Property 4 of observations, we 
know that v has an outgoing edge to some vertex (j, k, *). Since infinitely many vertices of the form 
(j, k', *) have an outgoing edge to v, fix some such k' > k. By Properties 3 and 5 of observations, 
we know that there exists a edge from {j, k, *) to (j, k', *). Thus, we see that there exist edges from 
V to (j, k, *), from {j, k, *) to (j, k', *), and from {j, k', *) to v, which yield a cycle. This contradicts 
the assumption that G is a DAG. □ 
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8.2 Viable Observations 


Now consider an observation G = (V Z). If V is any sequence of vertices in V, then we define the 
event-sequence of V to be the sequence obtained by projecting V onto its second component. 

We say that a trace t G Td is compatible with an observation G provided that t\OD is the event 
sequence of some topological ordering of the vertices of G. G is a viable observation if there exists 
a trace t G To that is compatible with G. 


Lemma 8.5. Let G be a viable observation, and suppose that t G Tjy is compatible with G. For 
each location i, i is live in G iff i G live{t). 


We now consider paths in an observation DAG, and their connection with strong sampling, as 
A path in a observation is a sequence of vertices, where for each pair of 


dehned in Section 5.2 


consecntive vertices u, n in a path, (u, v) is an edge of the observation. 

A branch of an observation G is a maximal path in G. A fair branch 6 of G is a branch of 
G that satisfies the additional property that, for every i in H, if i is live in G, then b contains an 
infinite number of vertices whose location is i. 


Lemma 8.6. Let G be a viable observation, and suppose that t G Tq is compatible with G. Suppose 
b is a fair branch of G, and let e be the event sequence of b. Then 


1. There exists a strong sampling t' oft such that f\ojy = c. 

2. If D is a strong-sampling AFD, then there exists t' G To such that t' is a strong sampling of 
t and t'\oj^ = e. 


Proof. Fix G, t, b, e and D from the hypotheses of the Lemma statement. 

Proof of Part 1. Since 6 is a fair branch of G, for each location i that is live in t, e contains an 
infinite number of outputs at i. Furthermore, for each location i, the projection of e on the events 
at z is a subsequence of the projection of t on the AFD outputs at i. Therefore, by deleting all the 
AFD output events from t that do not appear in e, we obtain a strong-sampling f of t such that 

t'loo = e- 

Proof of Part 2. In Part 2, assume D is a strong-sampling AFD. From Part 1, we have already 
established that there exists a strong-sampling t' of t such that t'\or, = Fix such a t'. By closure 
under strong-sampling, since t G To, we conclude that t' G To as well. □ 


Lemma 8.6 is crucial to our results. In Section 11 we describe an emulation algorithm that 


uses outputs from an AFD to produce viable observations, and the emulations consider paths of 
the observation and simulate executions of a consensus algorithm with AFD outputs from each 
path in the observation. Lemma 8.6 guarantees that each fair path in the observation corresponds 
to an actual sequence of AFD outputs from some trace of the AFD. In fact, the motivation for 


closure-under-strong-sampling property is to establish Lemma 8.6 


8.3 Relations and Operations on Observations 

The emulation construction in Section im will require processes to manipulate observations. To 
help with this, we define some relations and operations on DAGs and observations. 


Prefix. Given two DAGs G and G', G' is said to be a prefix of G iff G' is a snbgraph of G and 
for every vertex n of G', the set of incoming edges of v in G' is equal to the set of incoming edges 
of V in G. 
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Union. Let G = (V, Z) and G' = (V^Z') be two observations. Then the union G" of G and 
G', denoted G U G', is the graph iV U V',Z U Z'). Note that, in general, this union need not 
be another observation. However, under certain conditions, wherein the observations are finite 
and “consistent” in terms of the vertices and incoming edges at each vertex, the union of two 
observations is also an observation. We state this formally in the following Lemma. 

Lemma 8.7. Let G = {V,Z) and G' = {V', Z') he two finite observations. Suppose that the 
following hold: 

1. There do not exist {i, k,e) £ V and {i, k, e') G V' with e 7^ e'. 

2. If V G V nV' then v has the same set of incoming edges (from the same set of other vertices) 
in G and G'. 


Then G U G' is also an observation. 
Proof. Straightforward. 


□ 


Insertion. Let G = {V, Z) be a hnite observation, i a location, and k the largest integer such that 
V contains a vertex of the form [i, k, *). Let u be a triple (i, k + 1, e). Then insert{G, v), the result 
of inserting v into G, is a new graph G' = (W, Z'), where V' = UU{u} and Z' = ZU{(u', v)\v' G U}. 
That is, G' is obtained from G by adding vertex v and adding edges from every vertex in V to v. 

Lemma 8.8. Let G = (V, Z) be a finite observation, i a location. Let k he the largest integer such 
that V contains a vertex of the form (i, k, *). Let v be a triple (i, k + l,e). Then insert{G, v) is a 
finite observation. 


8.4 Limits of Sequences of Observations 

Consider an inhnite sequence Gi = (Li, Zi), G2 = (V2, Z 2 ), ... of hnite observations, where each is 
a prehx of the next. Then the limit of this sequence is the graph G°° = (V, Z) dehned as follows; 

• V = [jyVy. 

• Z = UyZy. 

Lemma 8.9. For each positive integer y, Gy is a prefix of G°°. 

Under certain conditions, the limit of the inhnite sequence of observations Gi, G2, ... is also an 


observation; we note this in Lemma 8.10 


Lemma 8.10. Let G°° = iV, Z) he the limit of the infinite sequence Gi = (Vi, Zi), G 2 = (V 2 , Z 2 ),... 
of finite observations, where each is a prefix of the next. Suppose that the sequence satisfies the 
following property: 

1. For every vertex v £ V and any location j £ live{G°^), there exists a vertex v' £ V with 
location j such that Z contains the edge {v,v'). 

Then G°° is an observation. 

Proof. All properties are straightforward from the dehnitions, except for Property 4 of observations, 
which follows from the assumption of the lemma. □ 

We dehne an inhnite sequence Gi = (Li, Zi), G 2 = (V 2 , Z 2 ),... of hnite observations, where each 
is a prehx of the next, to be to be convergent if the limit G°° of this sequence is an observation. 
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9 Execution Trees 


In this section, we define a tree representing executions of a system S that are consistent with 
a particular observation G of a particular failure detector D. Specifically, we define a tree that 
describes executions of S in which the sequence of AFD outputs is exactly the event-sequence of 
some path in observation G. 

Section 9.1 defines the system S for which the tree is defined. The tree is constructed in two 
parts: Section |9.2| defines a “task tree”, and Section |9.3| adds tags to the nodes and edges of the 


task tree to yield the final execution tree. Additionally, Sections 9.2 and 9.3 prove certain basic 
properties of execution trees, and they establish a correspondence between the nodes in the tree 
and finite executions of S. Section 19.41 defines that two nodes in the execution tree are “similar” 
to each other if they have the same tags, and therefore correspond to the same execution of S; the 
section goes on to prove certain useful properties of nodes in the subtrees rooted at any two similar 
nodes. Section 19.51 defines that two nodes in the execution tree are “similar-modulo-i” to each 
other if the executions corresponding to the two nodes are indistinguishable for process automata 
at any location except possibly the the process automaton at i; the section goes on to prove certain 


useful properties of nodes in the subtrees rooted at any two similar-modulo-i nodes. Section 9.6 


establishes useful properties of nodes that are in different execution trees that are constructed using 
two observations, one of which is a prefix of another. Finally, Section 9.7 proves that a “fair branch” 
of infinite execution trees corresponds to a fair execution of system S. The major results in this 
section are used in Sections 10 and 11, which show that Qf is a weakest strong-sampling AFD to 
solve consensus if at most / locations crash. 


9.1 The System 

Fix 5 to be a system consisting of a distributed algorithm A, channel automata, and an environment 
automaton £ such that A solves a crash problem P using D in £. 

The system S contains the following tasks. The process automaton at i contains a single task 
Proci- Each channel automaton Chariij, where j G 11 \ {i} contains a single task, which we also 
denote as Chariij; the actions in task Chariij are of the form receive(*,i)j, which results in a 
message received at location j. Each automaton Tj has tasks Envi^x, where x ranges over some 
fixed task index set Xi. Let T denote the set of all the tasks of S. 

Each task has an associated location, which is the location of all the actions in the task. The 
tasks at location i are Proci, Chanj^i\j G 11 \ {i}, and Envi^x\x G Xi. 

Recall from Section that each process automaton, each channel automaton, and the environ¬ 
ment automaton have unique initial states. Therefore, the system S has a unique initial state. 
Erom the definitions of the constituent automata of S, we obtain the following lemma. 

Lemma 9.1. Let a be an execution of system S, and let t = tpre ■ tsuff be the trace of a such that 
for some location i, tsuff does not contain any locally-controlled actions at Proci and Si. Then, 
there exists an execution a' of system S such that t' = tpre ■ crashi ■ tguff is the trace of a'. 

Proof. Fix a, t = tpre • tsuff s-iid i as in the hypothesis of the claim. Let apre be the prefix of a 
whose trace is tpre- Let s be the final state of apre- Let be the execution Upre ■ crashi - s', 
where s' is the state of S when crashi is applied to state s. 

Note that crashi disables all locally-controlled actions at Proci and Si, and it does not change 
the state of any other automaton in S. Therefore, the state of all automata in S except for Proci 
and Envi are the same in state s and s'. Also, note that tguff does not contain any locally- 
controlled action at Proci or Envi, and tguff can be applied to state s. Therefore, tguff can also 
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be applied to s', thus extending to an execution a' of 5. By construction, the trace t' of a' is 
tpre * CTCLsfli * fH 


9.2 The Task Tree 

For any observation G = (V,Z), we define a tree that describes all executions of S in which 
the sequence of AFD output events is the event-sequence of some path in G. 

We describe our construction in two stages. The first stage, in this subsection, defines the 
basic structure of the tree, with annotations indicating where particular system tasks and obser¬ 
vation vertices occur. The second stage, described in the next subsection, adds information about 
particular actions and system states. 

The task tree is rooted at a special node called “T” which corresponds to the initial state of the 
system S. The tree is of height \V\-, if |F| is infinite, the tree has infinite height]^ Every node N in 
the tree that is at a depth \V\ is a leaf node. All other nodes are internal nodes. Each edge in the 
tree is labeled by an element from T L) {FDi\i G IT}. Intuitively, the label of an edge corresponds 
to a task being given a “turn” or an AFD event occurring. An edge with label I is said to be an 
/-edge, for short. The child of a node N that is connected to N by an edge labeled I is said to be 
an /-child of N. 

In addition to labels at each edge, the tree is also augmented with a vertex tag, which is a vertex 
in G, at each node and edge. We write vn for the vertex tag at node N and ve for the vertex tag 
at edge E. Intuitively, each vertex tag denotes the latest AFD output that occurs in the execution 
of S corresponding to the path in the tree from the root to node N or the head node of edge E (as 
appropriate). The set of outgoing edges from each node N in the tree is determined by the vertex 
tag VN- 

We describe the labels and vertex tags in the task tree recursively, starting with the T node. 
We define the vertex tag of T to be a special placeholder element (T,0,T), representing a “null 
vertex” of G. For each internal node N with vertex tag vn, the outgoing edges from N and their 
vertex tags are as follows. 

• Outgoing Proc, Chan, and Env edges. For every task / in T, the task tree contains exactly 
one outgoing edge E from N with label / from N, i.e., an /-edge. The vertex tag ve of E is 
VN- 

• Outgoing ED-edges. If vn = (T,0, T), then for every vertex {i,k,e) of G, the task tree 
includes an edge E from N with label FDi and vertex tag ve = {i, k, e). For every location i 
such that G contains no vertices with location i, the task tree includes a single outgoing edge 
E from N with label FDi and vertex tag (T,0, T). 

Otherwise, {vn is a vertex of G) for every vertex (say) {i,k,e) of G that has an edge in G 
from vertex vn, the task tree includes an outgoing edge E from N with label FDi and vertex 
tag Ve = {i, k, e). For every location i such that there is no edge in G from vn to any vertex 
whose location is i, the task tree includes an outgoing edge E from N with label EDi and 
vertex tag ve = vn- 

For each node N that is a child of N and whose incoming edge \s E, Vj^j = ve- 

^The intuitive reason for limiting the depth of the tree to \V\ is the following. If G is a hnite observation, then 
none of the locations in If are live in G. In this case, we want all the branches in the task tree to be finite. On the 
other hand, if G is an infinite observation, then some location in 11 is live in G, and in this case we want all the 
branches in the task tree to be inhnite. On way to ensure these properties is to restrict the depth of the tree to \V\. 
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A path in a rooted tree is an alternating sequence of nodes and edges, beginning and ending 
with a node, where (1) each node is incident to both the edge that precedes it and the edge that 
follows it in the sequence, and (2) the nodes that precede and follow an edge are the end nodes of 
that edge. 

A branch in a rooted tree is a maximal path in the tree that starts at the root. 

The following two Lemmas follow from the construction of the task tree. 

Lemma 9.2. For each label I, each internal node N in TZ^ has at least one outgoing l-edge. 

Lemma 9.3. Let q be a path in the tree that begins at the root node. Let V be the sequence of 
distinet non-(T, 0, T) vertex tags of edges in path q. Then there exists some path p in G such that 
V is the sequence of vertices along p. 


9.3 The Augmented Tree 

Now we augment the task tree produced in the previous section to include additional tags — 
configuration tags cn at the nodes, which are states of the system S, and action tags at the 
edges, which are actions of S or T. However, the action tags cannot be crash actions. The resulting 
tagged tree is our execution tree TZ^. Intuitively, the configuration tag cat of a node N denotes a 
state of system 5, and the action tag qe for an edge E with label I from node N denotes an action 
oe from task I that occurs when system S is in state cn- It is easy to see that for any path in 
the execution tree, the sequence of alternating configuration tags and action tags along the path 
represents an execution fragment of S. 

We define the tags recursively, this time starting from the already-dehned task tree. For the T 
node, the configuration tag is the initial state of S. For each internal node N with configuration 
tag Cat and vertex tag ve, the new tags are defined as follows: 


• Outgoing FD-edges. For every edge E from node N with label EDi, the action tag qe is 
determined as follows. If the vertex tag ve = {i, k,e) vn, then oe = e. If ve = vn, then 
aE = T. 

Essentially, if ve = {i, k,e) / ve, then this corresponds to the action e of ve occurring when 
S is in state cat; we model this by setting oe to e. Otherwise, ve = vm and no event from 
EDi occurs when S is in state cat; we mode this by setting oe to T. 


• Outgoing Proc and Env edges. For every edge E from node N with label I G {Proci} U 
{Envi^x\x G Xi} for some location i, the action tag oe is determined as follows. If (1) some 
action a in task I is enabled in state cat, and (2) either (a) vn is a vertex of G and G contains 
an edge from ve to a vertex with location i, or (b) vn = (T,0, T) and G has a vertex with 
location i, then oe is a; otherwise oe is T. Note that since each process automaton and each 
constituent automaton of the environment automaton in S is task-deterministic, for each 
location i at most one action in the Proci task is enabled in cat and, for each location i and 
each X £ Xi, at most one action in the Envi^x task is enabled in cat. Therefore, at most one 
action a in task I is enabled in state cat, and thus oe is well-defined. 


Fix node N in TZ'^ and a location i. Observe that if the action tag of an EDi edge from N 
is T, then for all FDi edges that are descendants of N, their action tag is T. The condition 
(2) above for determining oe for a Proci or Envi edge E from N implies that, if no AFD 
output events at i follow N in the maximal subtree of TZ^ rooted at N, then no Proci event 


of Envi event follows N in that subtree either; we formalize this claim is Lemma 9.14 
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• Outgoing Chan edges. For every edge E from node N with label I G {Chanij\i G 11 A j G IT \ {i}}, 
the action tag ag is determined as follows: If some action a in task I is enabled in state cat, 
then qe = a] otherwise = _L. Note that since all automata in S are task deterministic, at 
most one action in task I is enabled in cat. Informally, we state that if some action in task I 
is enabled in state cjy, then that event occurs along the edge E; otherwise, no event occurs 
along the edge E. 


Each node N that is a child of N and whose incoming edge is E is tagged as follows. If the 
action tag oe = E then = cat. Otherwise, is the state of S resulting from applying the 
action og to state cat- 

The following Lemmas establish various relationships between nodes, paths, and branches in 
. Note that these Lemmas following immediately from the construction. 

For each node N, let path{N) be the path from the root node T to in the tree TZ^. Let 
exe{N) be the sequence of alternating config tags and action tags along path{N) such that exe{N) 
contains exactly the non-T action tags and their preceding config tags in path{N) and ends with 
the config tag cat. 

Lemma 9.4. For each node N in TZ^, the sequence exe{N) is a finite execution of the system S 
that ends in state cat and if exe{N)\ojj is non-empty (and therefore, vm is a vertex of G), then 
exe{N)\ojy is the event-sequence of the vertices in G for some path to vm- 

Lemma 9.5. Let N be a node, let N be a child of N, and let E be the edge from N to N in TZ^. 
Then the following are true. 

1. If oe = E, then cat = exe{N) = exe{N) and vn = Vj^. 


2. If oe 7 ^ E, then exe{N) = exe{N) ■ oe ■ Cfj 


Lemma 9.6. For each node N in IZ^ and any descendant N of N, exe{N) is a prefix of exe{N) 
and exe{N)\ojj is a prefix of exe{N)\oj^. 


Proof. Follows from repeated application of Lemmas 9.5 along the path from N to N. 


□ 


Lemma 9.7. For each node N in TZ^, each child node N of N is uniquely determined by the label 
I of the edge from N to N and the vertex tag Vjy. 

Proof. The proof follows from the construction of TZ^. Fix N. If two outgoing edges Ei and E 2 
from N have the same label, then that label must be from {FDi\i G 11}. However, for each location 
i, each of the outgoing FDi-edges from N have a different vertex tag, and the vertex tag of an 
TDj-child iV of is the same as the vertex tag of the edge from N to N. Hence, for any no two 
child nodes of N, either the label of the edge from N to each of the child nodes is distinct, or the 
vertex tag of each of the child nodes is distinct. □ 


Lemma 9.8. For each node N in IZ^ and any child N of N such that the edge E from N to N 
has the label FDi (for some location i) and the action tag oe of the edge is non-E, the following 
is true. (1) Vj^ vn, (2) oe is the action ofvj;^, and (3) if vn (-L,0,T), then there is an edge 
from Vn to Vj^ in G. 

Lemma 9.9. For each node N in IZ^ and any descendant N of N such that there is no FD-edge 
in the path from N to N, vn = Vff 


Proof. The proof is by induction on the length of the path from N to N. 


□ 
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Lemma 9.10. For each node N in TZ^ and for any descendant N of N, either vn = Vj^, or if 
V]sf / (-L,0, _L), then there is an edge from vn to in G. 


Proof. Fix N and N as in the hypothesis of the lemma. Let the path from to contain d edges. 
We prove the lemma by strong induction on d. 

Inductive hypothesis. For any pair of nodes A^i and N 2 such that N 2 is a descendant of Ni in 
IZ^, and the path from A^i to N 2 contains d edges, either v^i = VN 21 or if 7 ^ (-L,0, _L), then 
there is an edge from to vM 2 in G. 

Inductive step. Fix A^i and N 2 . If d = 0, note that A^i = N 2 , and therefore vmi = VN 2 ] therefore 
the lemma is satisfied. For d = 1, N 2 is a child of A^i, and let Ei ^2 be the edge from A^i to N 2 . 
If vmi = VM 2 , the the lemmas is satisfied. Assume vn^ 7 ^ vm 2 and vmi 7 ^ (-L,0,_L); note that if 
vni 7 ^ VM 2 , then by construction Ei ^2 is an FD-edge and 2 7 ^ -*-• Invoking Lemma 9.8, we know 
that there is an edge from vm^ to vm 2 in G. 

For any d > 1, there exists at least one node A^i .5 in the path from A^i to N 2 . Fix A^i.s. By 
construction, the path from A^i to A^i.s contains fewer than d edges, and the path from A^i .5 to N 2 
contains fewer than d edges. Invoking the inductive hypothesis for nodes Ni and A^i. 5 , we know 
that either vmi = vmi 5 or, if vmi 7 ^ (-L, 0, _L), then there is an edge from vmi to vm^ 5 in G. Similarly, 
invoking the inductive hypothesis for nodes A'l.s and N 2 , we know that either vmi 5 = vm 2 or, if 
vmi ,5 / (-L,0, _L), there is an edge from U 7 V 1.5 i'O ia G. Therefore, either (1) vni = vn 2 ^ or (2) 
if vmi 7 ^ (-L,0, T), then vmi^ 7 ^ (-L,0,T), and there is a path from vn^ to vm 2 in G. In case (1) 
the induction is complete. In case (2), invoking the transitive closure property of G, we know that 
there is an edge from vmi to vm 2 in G, and the induction is complete. 

□ 


Lemma 9.11. For each label FDi where i is live in G, every FDi-edge in IZ^ has a non-E action 
tag. 


Lemma 9.12. For every branch h oflZ^, exe{b) is an execution of system S. 

Proof. Fix a branch b of IZ^. Let E,Ei,Ni,E 2 jN 2 ,..., where each Ex is an edge in IZ'^ and 
each Nx is a node in Vp, denote the sequence of nodes that constitute h. By definition, exe{h) 
is the limit of the prefix-ordered sequence exe(T), exe(A'i), exe{N 2 ), ...; note that this sequence 
might be infinite. Note that exe{fT)\oj^ is a prefix of exe{Ni)\ojj, and from Lemma 9.6 we know 
that exe{Nx)\oD i® ^ prefix of exe{Nx+i)\oo positive integer x. Therefore, the limit of the 

prefix-ordered sequence exeifT)\ou, exe{Ni)\OD-, exe(A" 2 )|oD) • • • exists, and this limit is exe[h)\oo- 
By Lemma 9.4, we know that exe(T) and each exe{Nx), where x is a positive integer, is a finite 
execution of S, and therefore, exe{b) is an execution of 5. □ 


Lemma 9.13. For any node N in 7Z^, any location i and any FDi-edge E outgoing from N, if 
oe = T, then for each outgoing Proci-edge or Envi-edge E' from N, oe’ = T. 


Proof. Fix N, i, and E as in the hypothesis of the Lemma; thus, qe = T. From the construction 
of 7^G, we know that = T iff either vm is not a vertex in G and there is no vertex in G whose 
location is i, or there is no edge in G from vm to any vertex whose location is i. 

Fix E' to be either a Procj-edge or Envi-edge outgoing from N. From the construction of VP, 
we know that if either (a) vm is a vertex of G and G contains no edges from vm to a vertex with 
location i, or (b) vm = (T, 0, T) and G has a no vertex with location i, then oe’ is T. □ 

For any node N in IZ^, let IZ^\m denote the maximal subtree of Pp rooted at N. 
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Lemma 9.14. For any node N in TiP, any location i and any FDi-edge E outgoing from N, if 
qe = E, then for each Proci-edge or Envi-edge E' in TZ^\n, ue' = E- 


Proof. Fix N and i as in the hypothesis of the Lemma; thus, an outgoing FDi-edge E from N, 
qe = E. From the construction of TZ^, we know that ag = -L iff either utv is not a vertex in G and 
there is no vertex in G whose location is i, or there is no edge in G from vjsf to any vertex whose 
location is i. 

Fix N' to be any node in TZ^Ie- By construction, N' is a descendant of N. From the construction 
of TZ^, note that for every descendant N' of N in TZ'^, if uat is a vertex in G, then vj^' is a descendant 
of vm- Thus, either there is no vertex in G whose location is i, or vei> does not have any outgoing 
edges to a vertex in G whose location is i. From the construction of TZ^, we see that oe" = E for 
an outgoing EDi-edge E" from N'. From Lemma 9.13, we know that for each outgoing Proci-edge 
or Envi-edge E' from N, oe' = E. □ 


Next, we establish the relationship between traces compatible with G and the action tags of 
FD-edges in TZ^. Specifically, we show that the following is true. For any node N in TZ^ such that 
the vertex tag vn is a vertex in G, let a be the event of vn, and assume that some FDi-edge of N 
has a non-T action tag. Then in any trace t compatible with G, and for any location i, no crashi 
event precedes a in t. 

Lemma 9.15. Let N he any node in TZ^ such that G contains ve . Let there exist an FDi-edge E 
in TZ^\n such that qe p T. Then for any arbitrary trace in t € Te that is compatible with G, no 
crashi event precedes the event of vm in t. 

Proof. Fix N, i, and E as in the hypotheses of the lemma. Let N' denote the upper endpoint of 
E. Since N' is in TZ^\n, N' is a descendant of N, and consequently, there exists a path from vn 
to ujv' in G. Since ue p T, we know that v^^i has an outgoing edge to some vertex u in G, fix u; 
note that o^; is the event of v. Since we have a path from ves to v'^ in G and an edge from v’^ to 
V in G, we have a path from to u in G. Therefore, in every topological sort of G, v follows ve- 
Now consider t, and assume for contradiction that crashi precedes the event of vn in t. Since 
t\oo is a topological sort of G, the event of v follows the event of ve in t. Then crashi precedes 
the event a^; of u in t. Recall that E is an FDi edge and therefore aE ^ Od,!- In other words, 
crashi precedes an OE,i event in t; thus, t is not a valid sequence. This contradicts our assumption 
that t is a trace in Te, because all traces in Te are valid. □ 

We define a non-T node. A node N in TZ^ is said to be a non-T node iff the path from the root 
to N does not contain any edges whose action tag is T. In the subsequent sections, non-T nodes 
play a significant role, and so we prove some useful properties about non-T nodes next. 

Lemma 9.16. Suppose N and N' are a non-E nodes in TZ^ such that (1) N and N' are at the 
same depth d, (2) the projection of the paths from E to N and T to N' on the set of labels are 
equal, (3) the projection of the paths from T to N and T to N' on the vertex tags are also equal. 
Then N = N'. 


Proof. The proof is a straightforward induction on d. 


□ 


The inductive extension of Lemma 9.7 is that each non-T node N in LZ^ is uniquely determined 
by the sequence of labels and vertex tags of the edges from T to N. We prove this next. 


Lemma 9.17. Each non-E node N in PP is uniquely determined by the sequence of labels and 
vertex tags of the edges from T to N. 
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Proof. The proof is by induction the depth of N. 

Base case, dj = 0, and there is unique T node in TlP. 

Inductive Hypothesis. For some positive integer d, each non-T node N in IZ^ at depth d is 
uniquely determined by the sequence of labels and vertex tags of the edges from T to N. 

Inductive step. Fix N' to be any non-T node in at depth d + 1. By construction, there is an 
edge whose lower endpoint is N' and whose upper end point is a node N" at depth d. By Lemma 


9.7, we know that given N", N' is uniquely determined by the label I of the edge from N' to N" 
and the vertex tag uat//. However, by the inductive hypothesis, N” is uniquely determined by the 
sequence of labels and vertex tags of the edges from T to N". Therefore, N' is uniquely determined 
in by the sequence of labels and vertex tags of the edges from T to N'. This completes the 
induction. □ 


9.4 Properties of “Similar” Nodes in Execution Trees 

For any two nodes N and N' in such that cn = cjv' and vjy = the following lemmas 
establish a relationship between the descendants of N and N'. Informally, these lemmas establish 
that the maximal subtrees of IZ^ rooted at N and N' are in some sense similar to each other. 

estabh shes that for every child N of N there exists a child N' of N' that is “similar” 
I extends such similarity to arbitrary des cenda nts of N ; that is, for any descendant 
N of N, there exist “similar” descendants of N'. Lemma 9.20 states that for any descendant N of 


9.18 


Lemma 


to N. Lemma 


N, there exists a descendant iV^ of N that is “similar” to N, but the path from N to does not 
contain any edges with a T action tag. 

The proofs use the notion of “distance” between a node and its descendant as defined next. 
The distance from a node N to its descendant N is the number of edges in the path from N to N. 
Note that if the distance from to is 1, then iV is a child of N. 

Lemma 9.18. Let N and N' he two nodes in 7Z^ such that cn = cn' and vn = v^'- Let I be 
an arbitrary label in T L) {FDi\i £ H}. Let E and N be an l-edge and the corresponding l-child of 
N, respectively. There exists an l-edge E' of N' and the corresponding l-child N' of N' such that 
a^ > V V p,,, Cj^ Cj^, , and v^ . 

Proof. Fix N, N', I, E, and N as in the hypotheses of the lemma. We consider two cases: I is in 
T, and I is in {EDi\i £ H}. 

Case 1. I £ T. Since cn = cn>, vjy = uat/, and the system is task deterministic, we know 
that there exists an outgoing I edge E' from N' such that a^ = a^,. Let N' be the /-child of N' 
connected by edge E'. Since is obtained by applying ap, to cat, and c^, is obtained by applying 
a^, to ctv', we see that = c^y,. Also, by construction, Vj^ = vn = v^ and = uat/ = v^,] 
therefore, = vp., and Vjy = Vj^,. 

Case 2. I is of the form FDi, for some particular i. Then we consider two subcases: (a) = T 

and (b) ^ T. 

Subcase 2(a). a^ = T. Then either (i) vjy = (T,0, T) and G has no vertices with location i, or 
(ii) vn is a vertex of G and G has no vertices with location i to which vjsr has an outgoing edge. 
In both cases (i) and (ii), by construction, = vn = vp,. Since vn = vjy/, from the construction 
of TZ^, we know that there is an l-edge E' of N' such that a^, = T, and we also know that for 
the /-child N' of N' that is connected to N' hy E', Vj^, = v^i = u™. Therefore, vp = vp, and 


'^N ~ '^N'- 


Subcase 2(b). ap / T. Then either (i) vn = (T,0,T) and G has a vertex v' of the form 
{i,*,ap), or (ii) vn is a vertex of G and G has a vertex v' of the form {i,*,ap) to which vn has 
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an outgoing edge such that = v'. Since vn = I’Af', in both cases (i) and (ii), from the 

construction of TZ^, we know that there is an Z-edge E' of N' such that a^, = and v^, = v^, 
and we also know that for the Z-child N' of N' that is connected to N' hy E', Vj^, = v'. Therefore, 


= v^, and 


^E' 


In both snbcases, since is obtained by applying to cat, and c^, is obtained by applying 
to Cat/ , we see that c^y = c^,. □ 


Lemma 9.19. Let N and N' be two nodes in TZ^ such that cn = cat' and vn = vn', and let N be 
a descendant of N. There exists a descendant N' of N' such that the following is true. 


1. v^ = v^,. 


2. c^ = c^,. 

3. Let the path from N to N be p and the path from N' to N' be p'. Then, p and p' are of the 
same length. 

4 . The suffix of exe{N) following exe{N) is identical to the suffix of exe{N') following exe{N'). 


Proof. The lemma is a simple inductive extension of Lemma 9.18 
forward induction on the length of the path from N to N. 


The proof follows from a straight- 

□ 


Next, we show that for any node N and any descendant N of N, there exists a node of N 
that is “similar” to N, and the path from N to N_^ does not contain any edges with a T action tag. 

Lemma 9.20. Let N he an arbitrary node in TZ^. For every descendant N of N, there exists a 
descendant N_^ of N such that Vj^ = Vj^^, the suffix of exe{N) following exe{N) is identical to the 

suffix of exe{Nfollowing exe{N), and the path from N to N_^ does not contain any edges whose 
action tag is T. 


Proof. Fix N and N as in the hypothesis of the lemma. Let p be the path from N to N. If p does 
not contain any edges whose action tag is T, then the lemma is satisfied when N_^ = N. Otherwise, 
the following arguments hold. 

Let a be the suffix of exe{N) following exe{N), starting with the state cat. Let at denote the 
trace of a, and let ai denote the sequence of tasks in S such that for each x, at[x] is an action in 
task a/[x]. By constrnction, there exists a path from N whose projection on the labels is ai, and 
furthermore, since at is the trace of a, and the starting state of a is cat, there exists path p from 
N whose projection on action tags is at] fix such a path p. Note that, by construction, at does not 
contain any T elements. Thus, path p has no edges with T action tag, and the suffix of exe{N) 
following exe{N) is identical to the suffix of exe{Nffi following exe{N). □ 

Corollary 9.21. For each node N in TZ^, there exists a non-E node N' in TZ^ such that exe{N) = 
exe{N'), vi\f = vn'- 


Proof. Follows by applying Lemma 9.20 to the root node and noting that is a descendant of the 
root node. □ 


25 




9.5 Properties of Similar-Modulo-i Nodes in Execution Trees 

Next, we establish properties of TlP with respect to nodes whose configuration tags and vertex tags 
are indistinguishable at all process automata except one. The aforementioned relation between 
nodes is formalized as the similar-modulo-i relation (where i is a location). Intuitively, we say that 
node N is similar-modulo-i to N' if the only process automaton that can distinguish state cjsr from 
state cisf/ is the process automaton at i. The formal definition follows. 

Given two nodes N and N' in TZ^ and a location i, N is said to be similar-modulo-i to N' 
(denoted N N') if the following are true. 


1 . VN = VN’- 

2. For every location j G Ft \ {i}, the state of Procj is the same in cn and cat/. 

3. For every location j G FI \ {z}, the state of Sj is the same in cn and cpfi. 

4. For every pair of distinct locations j,k G Il \ {z}, the state of Chanj^k is the same in cjv and 
Cn'- 

5. For every location j G 11 \ {z}, the contents of the queue in Chariij in state cn is a prefix of 
the contents of the queue in Chariij in state cat/. 

Note that due to property 5, the relation is not symmetric; that is, N N' does not imply 
N' N. However, the relation is reflexive; that is, N N for any node N. 

Also note that if N' N, then the states of Proci, £i, and Charij^i for all j ^ i may be different 
in CAT' and cat. Furthermore, the states of Chariij for all j / z may also be different in cat' and cat, 
but it is required that the messages in transit from z to j in state cat form a prehx of the messages 
in transit from i to j in state cat'. 

We define a node to be a post-crashi node, where z is a location, if the following property is 
satisfied. If uat = (T,0 ,T), then there are no vertices in G whose location is z. Otherwise, there 
are no outgoing edges in G from vj\f to any vertex whose location is z. Note that if TZ^ contains 
any post-crashi node, then z is not live in G. Furthermore, if a node N in TZ^ is a post-crashi 
node, and there exists a node N' such that N ^i N' , then N' is also a post-crashi node. 

Lemma 9.22. Let N and N' be two post-crashi nodes in TZ^ for some location i in H, such that 
N N' . Let I be any label, and let be an l-child of N. Then, one of the following is true: (1) 

N' , or (2) there exists an l-child N'^ of N' such that and N'^ are post-crashi nodes and 

r^i N'K 


Proof. Fix N, N', z, I, and as in the hypotheses of the lemma. Let E be the Ledge from N to 

and let og be the action ta g of E. 

If oe = T, then by Lemma 9.5, we know that cat = Cjs^i and vn = Vep- Therefore, N', 

and the lemma is satished. For the remainder of this proof, we assume a^; 7^ T. 

Note that label I is an element of {Proci} U {Envi^x\x G W} U {FDi} U {Procj\j G H \ {z}} U 
{Envj^x\j G n \ {z} A X G Xj} U {EDj\j G H \ {z}} U {Ghanj^k\j G H A A: G H \ {j}}. 

Case 1. I G {Proci} U {Envi^x\x G Xi}. From the definition of a post-crashi node, we know 
that there are no vertices with location z that have an incoming edge from ve (= ve')- Therefore, 
from the construction of LZ^, we see that ag = ag/ = T. In this case, we have already established 
that N'. 

Case 2. I = FDi. We know that there are no vertices with location z that have an incoming edge 
from Vn, and therefore, oe = oe' = T. In this case, we have already established that N'. 
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For the remainder of the cases, let N'^ be the /-child of N' connected to N' by edge E'. Note 
that since vn = vn', we know that = Vf^n. 

Case 3. I G {Procj\j G If \ {i}} U {Envj^x\j £ n \ {/} A re G Xj}. From the definition of the 
relation, we know that the state of Procj is the same in states cat and cat/, and similarly, the state 
of £j is the same in states cn and cat'. Therefore, qe = Consequently, the state of Procj is 
the same in Cj^i and Cj^fn , and the state of £j is the same in Cj^i and Cj^n. 

Also, from the definition of the relation, we know that for every location /c G 11 \ the 

state of Charij^k is the same in cn and cn>. Therefore, from state cat, if aE changes the state of 
Charij^k for some k ^ i, then we know that the state of Charij^k is the same in Cj^i and Cat/o 

Thus, the states of all other automata in S are unchanged. We have already established that 
Vni = i’at'G we can verify that N'K 

Case 4- I G {PDj\j G 11 \ {i}}. Since ve = we see that qe = as'- Applying qe to cn and 

applying qe' to cat', and recalling that we have already established v^n = VEf/i, we can verify that 
r^i N'K 

Case 5. Let I be Charij^k where j G IT and /c G n \ {j}. Recall that we have already established 
Vni = Vnu. We consider three subcases: (a) k = i, (b) j ^ i and k i, (c) j = i. 

Case 5(a). Let I be Chanj^i where j G 11 \ {/}. Since the definition of does not restrict the 
state of Chauj^i or the state of the process automaton at i, we see that N'K 

Case 5(b). Let I be Charij^k where j G LI \ {/} and /c G LI \ {i,j}. From the definition of the 
relation, we know that the state of Chauj^k is the same in cn and cn'- Therefore, qe = ue'- 

Thus, we see that the state of Charij^k is the same in Cni and Cnh. Similarly, since N N' 
and aE = aE', see that the state of the process automaton at k is also the same in Cn' and Cn'i. 
The states of all other automata in S are unchanged. Thus, we can verify that N'K 

Case 5(c). Let I be Charii^k where A: G n \ {i}. Since we have assumed og T, ue must be the 
action receive{m,i)k for some message m G Ni. From the definition of the relation, we know 
that the queue of messages in Charii^k in state cn is a prefix of the queue of messages in Charii^k in 
state Cat', and the state of the process automaton at k is also the same in cat and cn'. Therefore, 
action ag is enabled in state cn' , and is in task 1; therefore aE = a_B'- 

Consequently, the queue of messages in Charii^k in state Cni is a prefix of the queue of messages 
in Charii^k in state Cn>i ■ Recall that the state of the process automaton at k is the same in cn and 
CAT'. Therefore, the state of the process automaton at k is the same in states Cni and Cn". The states 
of all other automata in S are unchanged. Thus, we can verify that N^ N'K Furthermore, note 
that by construction, if a node Nq is a post-crashi node, then all its descendants are post-crashi 
nodes. Therefore, and N'^ are post-crashi nodes. □ 

Theorem 9.23. Let A and N' be two post-crashi nodes in TZ^ for some location i in LI such that 
N ^i N'. For every descendant A of N, there exists a descendant N' of N' such that A and N' 
are post-crashi nodes and N ^i N'. 

Proof. Fix A, A', and i as in the hypothesis of the lemma; thus, A and N' are post-crashi nodes 
and A N'. The proof is by induction on the distance from A to A. 

Base Case. Let the distance from A to A be 0. That is, A = A. Trivially, we see that N' = N' 
satisfies the lemma. 

Inductive Hypothesis. For every descendant A of A at a distance k from A, there exists a 
descendant N' of N' such that A and N' are post-crashi nodes and A A'. 

Inductive Step. Fix A to be a descendant of A at a distance k-\-l from A. Let Nk be the parent 
of A. Note that, by construction, Nk is a descendant of A at a distance k from A. Let I be the 
label of edge E that connects Nk and A. By the inductive hypothesis, there exists a descendant 
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9.22 


we 


N'k of N' such that and N'^ are post-crash* nodes and Nk ~i N'k- Invoking Lemma 
know that at least one of the following is true. (1) N N'k- (2) there exists an /-child N' of N'k 
such that N and N' are post-crash* nodes and N N'. In other words, there exists a descendant 

N' of N' such that N and N' are post-crash* nodes and N N'. 

This completes the induction and the proof. □ 


9.6 Properties of Task Trees from Different Observations 


Next, we pres ent t he properties of task trees from two observations G and G', where G' is a prefix 
states that for every path in TZ^ that does not contain any edges with T action 


9.24 


of G. Lemma 

tags, a corresponding path of the same len gth w ith t he sa me tags and labels on the corresponding 
nodes and edges exists in TZ^. Corollaries 9.25 and 9.26 state that for every node in 7Z^ , there 


exist nodes in TZ^ such that both nodes represent the same execution of the system S. Lemma 


9.27 proves a stronger property about non-T nodes; specifically, it shows that for every non-T node 
in G\ there is a corresponding node, called a “replica”, in G' such that both the nodes have the 
identical paths from the T node in their respective execution trees. 

states that for every path p in TZ^ such that the sequence of distinct non-(T, 0, T) 


Lemma 


9.28 


vertex labels in p is a path in G', there exists a corresponding path in TZ^' of the same length with 
the same tags and labels on the corresponding nodes and edges. 

We extend the result from Lemma 9.27 to execution trees constructed from a sequence of 


observations, where each is a prefix of the next observation in the sequence; in Lemma 9.29 


we 


show that non-T nodes persist from one execution tree to the next, and in Lemma 9.30, we show 
that they persist in an infinite suffix of the execution trees. 


Lemma 9.24. Let an observation G' be a prefix of an observation G. Fix any path p' in TZ^' that 
starts at the root node and does not eontain edges with T action tags. Let the length of p' be k 
edges. Then there exists a “corresponding” path p in TZ^ of length k such that the following is true. 
(1) For every positive integer x < k + 1, let be the x-th node in p' and let Nx he the x-th node 
inp. Then the tags of are identical to the tags of Nx. (2) For any positive integer x < k, let E'^ 
he the x-th edge in p', and let Ex be the x-th edge in p. Then the tags and labels of E’^ are identical 
to the tags and labels of Ex. 


Proof. Fix G' and G as in the hypothesis of the lemma. The proof follows from a simple induction 
on the length k of path ph 

Base case, k = 0. There exists a single path fi consisting of k edges that starts at the root 
node of TZ^ . Let Nq be the root node of TZ^ with vertex tag = (T,0,T) and conhg tag Cjv^ 
is the start state of system S. Similarly, there exists a single path p consisting of k edges that 
starts at the root node of TZ'^ and contains no edges. Nq is the root node of TZ^ with vertex tag 
vnq = (T, 0, T) and conhg tag cnq is the start state of system S. 

Inductive hypothesis. For some non-negative integer k, for every path p' consisting of k edges in 
TZ^ that starts at the root node and does not contain edges with T action tags. Then there exists 
a “corresponding” path p in TZ^ consisting of k edges such that the following is true. (1) For every 
positive integer x < A: + 1, let Nf be the x-th node in p' and let Nx be the x-th node in p. Then 
the tags of Nf are identical to the tags of Nx. (2) For any positive integer x < k, let Ex be the 
x-th edge in p', and let Ex be the x-th edge in p. Then the tags and labels of E'x are identical to 
the tags and labels of Ex. 

Inductive step. Fix any path p' consisting of A: + 1 edges that starts at the root node of IZ^ 
and does not contain edges with T action tags. Let p'^^e be the prehx of p' that consists of k edges. 
By the inductive hypotheses, there exists a “corresponding” path pp^e in 7Z^ consisting of k edges 
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such that the following is true. (1) For every positive integer x < A; + 1, let N'^ be the x-th node in 
and let Nx be the x-th node in ppre- Then the tags of N'^ are identical to the tags of Nx- (2) 
For any positive integer x < k, let be the x-th edge in Pp^g, and let Ex be the x-th edge in Ppre- 
Then the tags and labels of E'^ are identical to the tags and labels of Ex- 

The last node of Pp^g and ppre are and N^+i, respectively. By the inductive hypotheses, 

= C 7 Vfe+i and Consider the node N” that is the last node of path p'. By 

construction, there is an edge E” from to N", and furthermore, qe" ^ -L. Let the label of E” 
be I". Note that either (1) I" is of the form ED^,, or (2) I" G T is a task in system S. We consider 
each case separately. 

Case 1. I" is of the form FD^,. Since ag" 7 ^ -L, we know from the construction of the task tree 
that the vertex tags ve" = ve", ve" is of the form {i, k, aE"), where z is a location and A; is a positive 
integer. Furthermore, we know that ve" is a vertex in G\ and either (a) = (-L, 0, _L) or (b) G' 

contains an edge from vmi to ve"- From the inductive hypothesis we know that Vm' = ■ 

Since G' is a prefix of G, we know that G contains the vertex ve"- 

If = (-L, 0, _L), then = (-L, 0, _L). Otherwise, G' contains an edge from to ve", 
and since G' is a prefix of G, G contains an edge from to ve"- In both cases, we see that, from 

the construction of the task tree, TiP contains an V'-edge E" from Nk+i to a node N" such that 
a^, = aE" and v^, = = ve"- From the inductive hypothesis, we know that 

Since cat" is obtained by applying aE" to and cj^ is obtained by applying a^, to catj.^^, we 

see that cat" = cj^. 

Case 2. I” G T. Since Cm> = ce.,-, , Vm/ = vn,,., , and the system is task deterministic, 

we know that there exists an outgoing I” edge E" from to a node N” such that agri = o,E"- 

Since cn" is obtained by applying aE" to CAf'^^) and cgri is obtained by applying ag^, to cat^.^^, we 
see that cat" = cgn. Also, by construction, xat” = = ve" and vgn = = vg,; therefore, 

VE" = vg, and vm" = vgn. 

Therefore, in all cases there exists an /"-edge E" of to a node N" in TlP such that the 

tags of N" and N" are identical, and the tags and labels of E" and E" are identical. Recall that 
E” is an /"-edge from to N”. 

Recall that p' is a path consisting of A: -|- 1 edges whose prefix is path Pp^g consisting of k edges 
starting from the root node in EP' and does not contain edges with _L action tags, and ppre is a 
path consisting of k edges starting from the root node in and does not contain edges with _L 
action tags. Furthermore, the last node of Pp^g is and the last node of ppre is A^fc+i- Also 

recall that, (1) for every positive integer x < A; + 1, the tags of N'^ are identical to the tags of Nx, 
and (2) for every positive integer x < k, the tags and labels of E'^ are identical to the tags and 
labels of Ex- Therefore, we extend ppre by edge E" to obtain a path p such that the following is 
true. 

(1) For every positive integer x < A: + 2, let N'^ be the x-th node in p' and let Nx be the x-th 
node in p. Then the tags of N^ are identical to the tags of Nx- (2) For any positive integer x < k + 1, 
let Ex be the x-th edge in p', and let Ex be the x-th edge in p. Then the tags and labels of Ex are 
identical to the tags and labels of Ex- 

This completes the induction. □ 


Corollary 9.25. If an observation G' is a prefix of an observation G, then for every node N' in 
E^ , there exists a node N in E^ such that exe{N') = exe{N) and uat' = vn- 


Proof. Fix a node W in E^'. 
that vj\f' = V]^y and exe{N') - 


By Lemma 9.20| we know that there exists a node N'_^ in E'^ such 
= exe(N^), and the path from the root to N'^ does not contain any 
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edges with _L action tag. Invoking Lemma 9.24, we know that there exists a node N in TZ^ such 


that the path from the root to N in TiP and the path from root to N'^ in TZ^ contain the same 
sequence of action tags and vertex tags. Therefore, exe{N) = exe{N'^ and vn = Therefore, 
exe{N') = exe{N) and uat/ = vn- □ 


Corollary 9.26. If an observation G' is a prefix of an observation G, then for every node N' in 
IZ^ , there exists a non-J- node N in IZ^ such that exe{N') = exe{N) and vn' = vn. 


Proof. Fix G', G and N' as in the hypotheses of the corollary. Invoking Lemma 9.25, we know 
there exists a node Nq in TZ^ such that exe{N') = exe(A^o) and ujv' = vnq- Invoking Corollary 9.21 
on node Nq, we know that there exists a non-T node N in IZ^ such that exe{NQ) = exe{N) and 
vno = 'I’N- In other words, there exists a non-T node N in IZ^ such that exe{N') = exe{N) and 
Vn' = vn- □ 

Lemma 9.27. If an observation G' is a prefix of an observation G, then for every node non-1. 
node N' in IZ^ , there exists a unique non-1. node N in IZ^ such that the sequence of labels and 
vertex tags of the edges from T to N' in IZ^ is identical to the sequence of labels and vertex tags 
of the edges from T to N in Vp. 


Proof. Fix G, G', and N as in the hypothesis of the lemma. Applying Lemma 9.24 to the path in 
IZ^ from T to we conclude at least one non-T node N' in IZ^ such that the sequence of labels 
and vertex tags of the edges from T to in Vp is identical to the sequence of labels and vertex 
tags of the edges from T to in IZ^^. Fix any such node N. Applying Lemma 9.17 to N, we 
conclude that N is unique. □ 

Lemma 9.28. Let an observation G' be a prefix of an observation G. Fix any path p in IZ^ such 
that (1) p starts at the root node and (2) the sequence of distinct non-(T,0,T) vertex tags in p is 
the sequence of vertices in some path in G'. Let the length of p be k edges. Then there exists a 
“corresponding” path p' in VP of length k such that the following is true. (1) For every positive 
integer x < k 1-1, let N'^ be the x-th node in p' and let be the x-th node in p. Then the tags of 
are identical to the tags of N^. (2) For any positive integer x < k, let E'^ be the x-th edge in 
p', and let be the x-th edge in p. Then the tags and labels of E'^ are identical to the tags and 
labels of E^. 


Proof. The proof follows from a simple induction on the length k of path p. 


□ 


Given any pair of observations G and G’ such that G^ is a prefix of G, and given a non-T node 
N' in G', we define the replica of N' from G' in G to be the unique node A^ in G that satisfies 
Lemma 9.27 We use this notion of a replica node to talk about a non-T node “persisting” over 


task trees constructed from a sequence observations such that each observation in the sequence is 
a prefix of each succeeding observation. 

Given a non-T node A^ in a tree IZ^ and its replica N' in a tree IZ^ , since the sequence of 
labels and vertex tags of the edges from T to A^ in IZ^ is identical to the sequence of labels and 
vertex tags of the edges from T to N' in IZ^ , we refer to any non-T node N and its replicas as N. 

Let ^ = Gi, G 2 ,... be an infinite sequence of finite observations such that (1) for any positive 
integer x, Gx is a prefix of Gx+i, and (2) the sequence of observations converge to some observation 
G°°. 

Lemma 9.29. Fix a positive integer x and suppose N is a non-1. node IZ^^. Then IZ^^+^ contains 

N. 
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Proof. Follows from Lemma 9.27 


□ 


Lemma 9.30. Fix a positive integer x and suppose N is a non-1. node . Then for any x' > x, 
ppx' contains N. 


Proof. The proof follows from a simple induction on x — x'. 


□ 


9.7 Fair Branches of Execution Trees 


In this subsection, we define fair branches of execution trees, and we establish the correspondence 
between fair branches in the execution trees and fair traces of system 50 

We define a branch of an infinite task tree TZ^ of the observation G to be a fair branch if, for 
each label I, the branch contains an infinite number of edges labeled 1. Therefore, a fair branch 
satisfies the following properties. 

Lemma 9.31. For each location i, and each fair branch b ofTZ^, the following are true. 


1. Branch b contains infinitely many FDi, Proci and Envi^x edges (for all x £ Xi) (regardless 
of whether i is live or not live in G). 

2. If i is live in G, then (a) every FDi edge in b has a non-E action tag and (b) some infinite 
subset of the Od,! events contained in G occur in 60 

3. If i is not live in G, then there exists a suffix ofb such that the action tag of each FDi, Pfoci, 
and Envi^x edge (for all x £ Xi) is E. 


For any location i and fair branch 6 of IZ^, b may contain a Proci or an Envi^x edge E such 
that ue = E for either of two reasons. (1) If i is not live in G, then it may be the case that there 
is no outgoing edge from ve to any vertex whose location is i. (2) There is no enabled action from 
the corresponding task in cat, where N is the node immediately preceding E in 6; this is regardless 
of whether i is live in G or otherwise. 

The main result of this subsection is Theorem 9.34, which says that, if L> is a strong-sampling 
AFD, then for any viable observation G of D and for every fair branch 6 in 77^, (1) the projection 
of 6 on the actions of the system S corresponds to a fair trace of system S, and (2) the projection 
of 6 on the AFD actions corresponds to a trace in Te- We use multiple helper lemmas to prove the 
main result, which we summarize after the following definitions. 

For the remainder of this section, fix D to be a strong-sampling AFD and fix G to be an infinite 
observation of D. Consider a branch 6 in TZ^; since G is an infinite observation, 6 must also be of 
infinite length. Let the sequence of nodes in 6 be T, A^i, A" 2 ) • ■ ■ in that order. The sequence exe{b) 
is the limit of the prefix-ordered infinite sequence exe(T), exe{Ni), exe{N 2 ), .. .0 Note that exe{b) 
may be a finite or an infinite sequence. Let trace{b) denote the trace of the execution exe{b). Recall 
that for any node N in TZ^, TZ^\jq denotes the maximal subtree of IZ^ rooted at N. 

we show that for any fair branch 6 in TZ^, exe{b)\ojy is the event-sequence of 


In Lemma 


9.32 


some fair branch in G. However, note that even if 6 is a fair branch of IZ^, exe{b) need not be a 
fair execution of 5; also, even if G is viable for D, the projection of exe{b) on Od U I need not be 
in Te. The primary reason for these limitations is that the tree IZ^ does not contain any crash 


^Recall that S consists of the process automata, the environment automaton, and the the channel automata. 
®Note that b is not guaranteed to contain all the On.i events contained in G. 

^Note that we have overloaded the function exe to map both nodes and branches to sequences of alternating states 
and actions. Since the domains of all the instances of the exe{) function are disjoint, we can refer to exe{N) or exe{b) 
without any ambiguity. 
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events. We rectify this omission in Lemma 9.33, we insert crash events in trace{b) to obtain a 


trace ts of S such that ts is a fair trace of 5, and if G is viable for D, then is compatible 

with G. Lemma 9.33 implies Theorem |9.34 


Lemma 9.32. For every fair branch h ofTZ^, exe( 6 )|o^ is the event-sequence of some fair branch 
in G. 

Proof. Fix 5 to be a fair branch of TZ^. Let b = P,Ei,Ni,E 2 ,N 2 ,. ■where for each natural 
number x, Nx is a node in TZ^ and Ex is an edge with lower endpoint Nx in 7Z^. Applying 
Lemma 9.4 we know that for any positive integer x, if = (-L,0, _L), then exe{Nx)\oD 
empty sequence, and otherwise, exe{Nx)\oD ends with the event of Note that since G is 

an infinite observation and 6 is a fair branch of TZ^, there exists a positive integer x such that 
for all x' > x, V]\f , ^ (_L,0,_Lr Applying Lemma 9.6, we know that for any positive integer x. 


exe{Nx)\oo is a prehx of exe{Nx+i)\oD- Therefore, exe( 6 )|o£, is the limit of the event-sequence of 
vni-,vn 2 i ■ ■ ■■ By construction of TZ^, this means that, exe{b)\oo is the event-sequence of some 
branch 6 ' = X 7 V 2 ) • • ■ in G. It remains to show that b' is a fair branch in G. Recall that h' is a 

fair branch if for every location i that is live in G, b contains an infinite number of vertices whose 
location is i. 

Fix a location i G live{G). Since 6 is a fair branch of TZ^, there are infinitely many edges in b 
whose label is FDi‘, for each such FD^-edge, applying Lemma 9.11, we know that the action tag 
of the EDi-edge is non-T. Therefore, the sequence V]sfj^,VN 2 i ■ ■ ■ contains infinitely many vertices 
whose location is i. Thus, by definition, b' is a fair branch in G. Therefore, exe( 6 )|oo is the 
event-sequence of b', which is a fair branch in G. □ 


Next, we assume that G is a viable observation for D. In Lemma 9.33, for each fair branch b 
of TZ^, we insert crash events in trace{b) to get a trace ts of the system S such that tracefb) = 


ts\ 


act{S)\I 


and ts\ 


OdCII 


gTd. 


Lemma 9.33. For every fair branch b ofTZ^, there exists a fair execution Oz of the system S such 
that trace{b) = otz\act(s)\i “-^IodU/ ^ 


Proof. Fix a fair branch b of TZ^. Let b = T, Ei, Ni, E 2 , N 2 ,... 

Nx is a node in TZ^ and Ex is an edge with lower endpoint 
that exe{b) is an execution of system S. We construct a new execution of system S by starting 


, where for each natural number x, 
in TZ^. By Lemma [9.12[ we know 


with exe{b), and inserting crash events as permitted by Lemma 9.1; we then define to be an 


execution whose trace tz. In order to invoke Lemma 9.1 we must ascertain the specific positions 
within exe{b) where we may insert crash events. We determine these positions, by deriving a trace 
tQ G Td such that the sequence of AFD output events in t^ is the projection of exe{b) on AFD 


output events. We then use the positions of crash events in t^ to determine the positions in exe{h) 
where crash events are inserted. 


Recall that G is a viable observation for D. By Lemma 9.32, we know that exe( 6 )|oo is the 
event-sequence of some fair branch Fq in G. Let to G Td be compatible with G, and we assume 
that to has no extra crashesj^ By Lemma 8.6 we know that there exists t^ G To such that tcloo 


® We know such a positi ve int eger x exists for the following reason. Since G is an infinite observation, G has some 
live location i. By Lemma 


9.31 


we know that every FDi edge in TiP has a non-_L action tag, and this can happen 
only if for each FDi edge, the vertex tag of the node preceding that ed ge is not (_L, 0, T). Since 6 is a fair branch, b 


contains inhnitely many such nodes; fix any such a node N. By Lemma 


9.8 


we know that for each descendant N of 


N in b, Vjif IS a, vertex in G and therefore, 

®Note that for any trace to that is compatible with G, the trace mincrashfo) is also compatible with G and does 
not contain any extra crashes. So, it is reasonable to assume that to does not contain any extra crashes. 
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is a strong sampling of tc and is the event sequence of Vq. Fix such a trace By construction, 
t^lon = exe(6)|oo = t'i"ace{b)\ojj and live{t'Q) = live{G). Note that does not contain any extra 
crashes. 

For each location i that is not live in G, let 6*+ be the earliest event from Od that follows the 
crashj event in t'. 


G- 


We construct by iteratively applying Lemma 9.1 to exe{b), once for each location i that is 
not live in G, as follows. Starting with trace{b), for each location i that is not live in G, insert 
crashi immediately before event ej+. If more than one crash event is inserted in the same position 
in trace{b), order these crash events in the order in which they appear in Let the trace, thus 
obtained, be 

Note that by construction ~ Therefore, ^ strong sampling of tc- For 

each location i that is not live in G, let vertex Uj+ be the vertex corresponding to event ej+; since 
tzIluOo ^ strong sampling of tc, crashi precedes ej+ in tc, and therefore, there are no edges from 
Vi+ to any vertex whose location is i. Therefore, by construction of TZ^, for any node N whose 
vertex tag is Vi+, and for any outgoing THj-edge E from N, qe = T. Therefore, by Lemma 9.13 
we know that for outgoing Proct, Envi and FDi edges from the descendants of their action 
tags are also T. Therefore, in trace{b), for each location i that is not live in G, there are no Proci, 
Oe,!, or £i events following ej+. Therefore, starting with trace{b) and iteratively applying Lemma 
9.1 for each crash event inserted, we conclude that there exists an execution az of S whose trace 


is tz- 

It remains to show that (1) «z|o^u/ ^ ^ execution of S. We prove each 

part separately. 


Claim 1. a 


^GVJOd 


eTo- 


Proof. Note that by construction = t'c therefore, ctzl/uo^ £ Tp. 


□ 


Claim 2. is a fair execution of S. 


Proof. By construction, is an execution of S. In order to show that is a fair execution of 
S, we have to show the following, (a) If az is finite, then for each task I € T, I is not enabled in 
the final state of az', and (b) if az is infinite, then for each task I ^T, az contains either infinitely 
many events from I or infinitely many occurrences of states in which I is not enabled. (Recall that 
T is the set of tasks in 5.) 

Case (a) az is finite. We show that this is impossible as follows. Assume for contradiction 
that az is finite. Since G is an infinite observation, there exists a location j such that there are 
infinitely many vertices in G whose location is j. Since 6 is a fair branch of TZP, we know that 


b contains infinitely many FDj edges. Applying Lemma 9.11, we conclude that the action tag of 
each THj-edge in b is non-T, and therefore, exe{b) is infinite. Therefore, trace{b) is infinite. Since 
tz is obtained by inserting events into trace{b), tz is infinite, and consequently az is infinite. Thus, 
we have a contradiction. 

Case (b) az is infinite. For contradiction, assume that az is not a fair execution. Therefore, 
there must exist a task I such that az contains only finitely many events from I and only finitely 
many occurrences of states in which I is not enabled. Fix such an 1. We consider each possible 
value of 1. 


• I G {Charij^klj G H, A: G 11 \ {j}}. From the construction of TZ^, we know that for each Ledge 
E from a node N' in b, if some action a in Hs enabled in c^v', then oe = a. Furthermore, note 
that in any execution a of 5, if some action a in Hs enabled in a state s of a, a remains enabled 
in the suffix of a following s until a occurs. By assumption, since there are only finitely many 
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events from I in and tz (the trace of Oz) is constructed by inserting events into trace{b), 
it follows that in some infinite suffix of b, for each node N', no action from I is enabled in cat'. 
Since inserting crash events does not change the state of the channel automata, it follows 
that no action from I is enabled in some inhnite suffix of Oz- This contradicts our assumption 
that az contains only hnitely many occurrences of states in which I is not enabled. 

• I G {Procj, Envj^x\j £ H, x G Xj}. Fix the location of I to be k. We consider two subcases: 
(i) k is not live in G, and (ii) k is live in G. 

— k is not live in G. By construction, b contains only finitely many Z-edges whose action 
tags are non-T, and by construction of we know that az contains a crashk event, 
following which there are no events from task 1. In other words, contains only hnitely 
many events from 1. However, recall that a crashk event disables all the actions from I 
forever thereafter. Therefore, in the suffix of az following a crashi event, no action from 
I is enabled. This contradicts our assumption that az contains only hnitely many events 
from I and only hnitely many occurrences of states in which I is not enabled. 

— A: is live in G. Therefore G contains inhnitely many vertices whose location is k. Note 
that in b, f-edges occur inhnitely often. By construction of the tree TlP ^ we know that 
for each node N' in b that immediately precedes an Fedge E', either ujv' is not a vertex 
in G and G contains inhnitely many vertices whose location is k, or ujv' has an outgoing 
edge to some vertex in G whose location is k; consequently, if some action in I is enabled 
in N', then a^/ 7 ^ T. Therefore, if exe{b) contains only hnitely many events from I, 
then it must have only hnitely many occurrences of states in which I is enabled; in other 
words, exe{h) contains inhnitely many occurrences of states in which I is not enabled. 
By construction of az, we know that az does not contain a crashk event. Since tz (the 
trace of az) is obtained from trace{b) by inserting only crash events and trace{b) does 
not contain any crashk events, we know that the projection of exe{b) on the states of 
Prock and 8k is equal to the projection of az on the states of Prock and 8k- Therefore, 
if exe{b) contains inhnitely many occurrences of states in which I is not enabled, then az 
contains inhnitely many occurrences of states in which I is not enabled. Thus we have a 
contradiction. 

Thus, we have proved that az is a fair execution of 5. □ 

The proof follows from Claims 1 and 2 . □ 

Theorem 9.34. Let D he a strong-sampling AFD. Let G be a viable observation for D. For 
every fair branch b of TZ^, there exists a fair trace ts of S such that trace{b) = ts\act(s)\i 

Proof. Fix D and G as in the hypotheses of the theorem statement. The proof follows directly from 
Lemma 19.331 □ 

10 Consensus Using Strong-Sampling AFDs 

In this section, we show how a strong-sampling AFD sufheient to solve crash-tolerant consensus 
circumvents the impossibility of consensus in asynchronous systems. We use this result in the next 
section to demonstrate that Flf is a weakest strong-sampling AFD to solve /-crash-tolerant binary 
consensus, which is defined next. 
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10.1 Crash-Tolerant Binary Consensus 

For any / in [0, ..., n — 1], the f-crash-tolerant binary consensus problem P = {Ip,Op,Tpj) is 
specified as follows. The set Ip is {propose{v)i\v G {0,1} A i G 11} U {crashi\i G 11}, and the set 
Op is {decide{v)i\v G {0,1} A f G n}. Before defining the set of sequences Tpj, we provide the 
following auxiliary dehnitions. 

Let t be an arbitrary (finite or infinite) sequence over IpL) Op. The following definitions apply 
to the sequence t. 

Decision value. If an event decide{v)i occurs for some i G 11 in sequence t, then v is said to be 
a decision value of t. 

Environment well-formedness: The environment well-formedness property states that (1) the 
environment provides each location with at most one input value, (2) the environment does not 
provide any input values at a location after a crash event at that location, and (3) the environment 
provides each live location with exactly one input value. Precisely, (1) for each location f G 11 at 
most one event from the set {propose{v)i\v G {0,1}} occurs in t, (2) for each location i G faulty{t) 
no event from the set {propose{v)i\v G {0,1}} follows a crashi event in t, and (3) for each location 
i G live{t) exactly one event from the set {propose{v)i\v G {0,1}} occurs in t. 

/-crash limitation: The f-crash limitation property states that at most / locations crash. Pre¬ 
cisely, there exist at most / locations i such that crashi occurs in t. 

Crash validity: The crash validity property states that no location decides after crashing. That 
is, for every location i G crash{t), no event from the set {decide{v)i\v G {0,1}} follows a crashi 
event in t. 

Agreement: The agreement property states that no two locations decide differently. That is, if 
two events decide{v)i and decide{v')j occur in t, then v = v'. 

Validity: The validity property states that any decision value at any location must be an input 
value at some location. That is, for each location i G 11, if an event decide{v)i occurs in t, then 
there exists a location j G 11 such that the event propose{v)j occurs in t. 

Termination: The termination property states that each location decides at most once, and each 
live location decides exactly once. That is, for each location f G 11, at most one event from the set 
{decide{v)i\v G {0,1}} occurs in t, and for each location i G live{t), exactly one event from the set 
{decide{v)i\v G {0,1}} occurs in t. 

Using the above definitions, we dehne the set Tpj for /-crash-tolerant binary consensus as 
follows. 


The set Tpj. Tpj is the set of all sequences t over IpL) Op such that, if t satisfies environment 
well-formedness and /-crash limitation, then t satisfies crash validity, agreement, validity, and 
termination. Note that Tpj contains all the sequences over IpUOp in which more than / locations 
crash; informally, /-crash-tolerant consensus provides no guarantees if more than / locations crash. 
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10.2 A Well-formed Environment Automaton for Consensus 

Given an environment automaton £ whose set of input actions is Op U / and set of output actions 
\s Ip \ I, £ \s said to be a well-formed environment iff every fair trace t of £ satisfies environment 
well-formedness. For our purpose, we assume a specific well-formed environment £c defined next. 

The automaton £c is a composition of n automata {£c,i\i £ H}. Each automaton has two 
output actions propose{0)i and propose{l)i, three input actions decide{0)i, decide{l)i, and crashi, 
and no internal actions. Each output action constitutes a separate task. Action propose{v)i, where 
V £ {0,1}, permanently disables actions propose{v)i and propose{l — v)i. The crashi input action 
disables actions propose{v)i and propose{l — v)i. The automaton £c,i is shown in Algorithm]^ 

Next, we show that £c is a well-formed environment automaton. Observe that the automaton 
£c satisfies the following Lemma. 


Algorithm 2 Automaton £c,i, where z £ 11. The composition of {£c,i\i £ H} constitutes the 
environment automaton £c for consensus. 

Signature: 

input crashi, decide{0)i, decide{l)i 
output propose{0)i, propose{l)i 

Variables: 

stop-. Boolean, initially false 
Actions: 

input crashi 
effect 

stop -.= true 

input decide{b)i, b £ {0,1} 
effect 

*none* 

output propose(b)i, b £ {0,1} 
precondition 
stop = false 
effect 

stop := true 


Tasks: 

Envifi = {propose{0)i}, Envi,i = {propose{l)i} 


Note that for each location i, each action propose{v)i (where v £ {0,1} and z £ IT) in £c 
constitutes a separate task Envi^y in £c,i- 

Lemma 10.1. In £c, action propose{v)i (where v £ {0,1} and z £ 11} permanently disables the 
actions propose{v)i and propose{l — v)i. 

Proof. Eix V £ {0,1} and z £ IT. Erom the pseudocode in Algorithm]^ we know that the precon¬ 
dition for actions propose{v)i and propose{l — v)i is {stop = false). We also see that the effect of 
action propose{v)i is to set stop to false. Thus, the Lemma follows. □ 

Theorem 10.2. Automaton £c is a well-formed environment. 

Proof. To establish the theorem, we have to prove the following three claims for every fair trace t of 
£c- (1) Eor each location z £ It, at most one event from the set {propose{v)i\v £ {0,1}} occurs in t. 
(2) Eor each location z £ faulty{t), no event from the set {propose{v)i\v £ {0,1}} follows a crashi 
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event in t. (3) For each location i G live{t), exactly one event from the set {propose{v)i\v G {0,1}} 
occurs in t. 

Claim 1. For each location i G II, at most one event from the set {propose{v)i\v G {0,1}} 
occurs in t. 


Proof. Fix i. If no event from {propose{v)i\v G {0,1}} occurs in t, then the claim is satisfied. For 
the remainder of the proof of this claim, assume some event from {propose{v)i\v G {0,1}} occurs in 
t] let e be the earliest such event. Let tpre be the prefix of t that ends with e. After event e occurs, 
we know from Lemma 10.1 that e disables all actions in {propose{v)i\v G {0,1}}. Therefore, the 
suffix of t following tpre, no event from {propose{v)i\v G {0,1}} occurs. □ 


Claim 2. For each location i G faulty{t), no event from the set {propose{v)i\v G {0,1}} follows 
a crashi event in t. 


Proof. Fix i to be a location in faulty{t). From the pseudocode in Algorithm]^ we know that 
action crashi sets stop to true. Furthermore, no action sets stop to false. Also, observe that 
the precondition for actions in {propose{v)i\v G is stop = false. Therefore, actions in 

{propose{v)i\v G {0,1}} do not follow a crashi event in t. □ 


Claim 3. For each location i G live{t), exactly one event from the set {propose{v)i\v G {0,1}} 
occurs in t. 


Proof. Fix i to be a location in live{t). In Algorithm we see that stop is initially false, 
and is not set to true until either crashi occurs or an event from {propose{v)i\v G {0,1}} oc¬ 
curs. Since i G liveft), we know that crashi does not occur in t. Since t is a fair trace, 
actions in {propose{v)i\v G {0,1}} remain enabled until one of the actions occur. After one 
event from {propose{v)i\v G {0,1}} occurs, from Claim 1, we know that no more events from 
{propose{v)i\v G {0,1}} occur. □ 

The theorem follows from Claims 1, 2, and 3. □ 


10.3 System Definition 

For the remainder of this section, fix a strong-sampling AFD D, a distributed algorithm A, and a 
natural number f [f < n) such that A solves /-crash-tolerant binary consensus using AFD D in 
environment £c- Let 5 be a system that is composed of distributed algorithm A, channel automata, 
and the well-formed environment automaton £c- 

Based on the properties of /-crash-tolerant binary consensus and system S, we have the following 
Lemma which restricts the number of decision values in an execution of S. 

Lemma 10.3. For every fair execution a of S, where «|/uq^ £ Td and a|/pUOp satisfies f-crash- 
limitation, a|/puOp has exactly one decision value. 

Proof. Fix a to be a fair execution of S such that G Tq and a|/puOp satisfies /-crash- 

limitation. Recall that S consists of a distributed algorithm A that solves /-crash-tolerant binary 
consensus using AFD D, the channel automata, and £. Since a||uOp, ^ '^D, we know from the 
definition of “solving a problem using an AFD” that a|/pUOp £ '^PJ- 

Recall that Tpj is the set of all sequences t over IpL) Op such that if t satisfies environment 
well-formedness and /-crash limitation, then t satisfies crash validity, agreement, validity, and 
termination. We assumed that al/pUOp satisfies /-crash limitation. 
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From Theorem 10.2, we know that £c is a well-formed environment. Therefore, a|/pUOp satisfies 
environment well-formedness. Consequently, a|/puOp satisfies agreement and termination. By the 
agreement property we know that a|/pUOp contains at most one decision value. Since / < n, we 
know that there is at least one location for which no crash event occurs, and therefore, by the 
termination property, we know that at least one location decides. In other words, a|/pUOp has 
exactly one decision value. □ 


10.4 Trees of Executions 

For the remainder of this section, fix G to be an arbitrary viable observation of D such that at 
most / locations are not live in G. Recall the construction of the execution trees from Section]^ 
construct the tree TZ^ for system S. 


10.5 


The primary reasons for fixing G to be a viable observation are the following. Lemmas 10.4 
which talk about possible decision values in branches of , are true only for 


and 


10.6 


viable observations. Furthermore, the notion of “valence” defined in Section 10.5 is applicable only 
when Lemmas 10.4, 10.5, and 10.6 hold, and consequently, “valence” makes sense only for viable 


observations. Since the rest of Section 10 discusses the properties of branches of the execution trees 
and their valences, we must fix G to be a viable observation for the remainder of the section. 

Since G is a viable observation of D, by definition, there exists a trace tn £ To such that tD|op 
is the event sequence of some topological ordering of the vertices in G. Fix such a trace tu for the 
remainder of this section. 

The set L of labels in TZ^ is {FDi\i G 11} U {Proci\i G 11} U {Envi^vli G IT A u G {0,1}} U 
{Ghanij\i G 11 A j G 11 \ {f}}. 

Recall from Section 10. 1| that in any sequence t over Ip U Op, if an event decide{v)i occurs, 
then V is said to be a decision value of t. We extend this definition to arbitrary sequences; for any 
sequence t, if t contains an element decide{v)i (where v G {0,1} and i G 11), then v is said to be a 
decision value of t. 


The next Lemma follows immediately from Theorem 9.34 and Lemma 10.3 


Lemma 10.4. For each fair branch b in TZ'^, exe{b) has exactly one decision value. 


Proof. Fix a fair branch b in Pp. Invoking Theorem 9.34, we know that there exists a fair trace ts of 
S such that trace{b) = ts\act{S)\i ^ execution of S whose trace is ts, 

and let Since trace{b) = ts\act(s)\i^ know that = trace{b)\ojy = exe{b)\ojj. 

Invoking Lemma 9.12, we know that exe(6)|op, is the event-sequence of some fair branch in G. 
Therefore, t'Poo event-sequence of some fair branch in G. 

Since at most / locations are not live in G, there are at most / locations i such that t'^ has 
only finitely many events from Op^t. Since € Tp, we know that has at most / locations that 
are not live in t'^. Recall that t'j^ = ts\j\jOjy^ therefore, there are at most / locations that are 


not live in as. In other words, as\ipUOp satisfies /-crash-limitation. Thus, invoking Lemma 10.3 


we know that as\ipuOp has exactly one decision value. Since trace{b) = Cis\act{S)\i^ know that 
trace{b), and therefore exe{b), has exactly one decision value. □ 

Lemma 10.5. For each node N in , exe{N) has at most one decision value. 

Proof. Fix node N of 7^^. Fix 6 to be a fair branch that contains node N. By construction 
exe{N) is a prefix of exe{b). Invoking Lemma 10.4 yields that exe{b) has exactly one decision 
value. Therefore, exe{N) must have at most one decision value. □ 
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Fix a convergent seqnence of finite observations Gi, G 2 , G 3 ,... that converge to G; that is, for 
each positive integer x, Gx is a prefix of Gx+i, and hm^^oo Gx = G. Construct the sequence of 
trees TZ'^^ , for system S 

Lemma 10.6. For each observation G' G {G, Gi, G 2 ,.. for each node N in TZ^', exe{N) has at 
most one decision value. 


Proof. Fix an observation G' and a node N as in the hypothesis of the lemma. For contraction, 
assume that exe{N) has more than one decision value. 

Recall that every observation in {G, Gi, G 2 ,...} is a prefix of G, and therefore, G' is a prefix 
of G. Therefore, by Lemma 9.26, we know that TZ^ has a node Nq such that exe{N) = exe{NG). 
Since exe{N) has more than one decision value, exe{NG) must also have more than one decision 
value. However, this contradicts Lemma 110.51 □ 


10.5 Valence 


For any arbitrary observation G' G {G, Gi,G 2 ,...} and any arbitrary node N in TZ^' ., we define 
the notion of “valence” as follows. From Lemma |9.4[ we know that exe{N) is a finite execution of 
system S. Node N is said to be bivalent in 7Z^ if there exist two descendants Nq and Ni of N such 


that exe(Vo) has a decision value 0 and exe{Ni) has a decision value 1; recall from Lemma 10.6 


that every node has at most one decision value. Similarly, N is said to be n-valent in TZ^ if there 
exists a descendant of N such that n is a decision value of exe(Aly), and for every descendant 
of N, it is not the case that 1 — f is a decision value of exe{N^'). If N is either 0-valent or 
1 -valent, then it is said to be univalent. 


10.5.1 Valence of nodes in execution trees of {G, Gi, G 2 ,...} 


Here we show the following properties related to valence for any arbitrary observation G' G 
{G, Gi, G 2 ,...} and any arbitrary node N in TZ^ . If V is bivalent in TZ^ , then it does not 
have a decision value (Lemma 10.7). If a non-T node N is bivalent in TZ^^ for some x, then for 
all x' > X, N remains a non-T bivalent node in TZ^^' and in 7Z^ (Lemma 10.8 and Corollaries 10.9 
and 10.10). If a non-T node N is bivalent in 77^, then for some positive integer x and all x' > x, 

and Corollary 10.12). Finally, if a non-T 


10.11 


N remains a non-T bivalent node in TZ^^' (Lemma 
node N is univalent in 77^, then for some positive integer x and all x' > x, N remains a non-T 
univalent node in 7Z^^' (Lemma 10.13). 


Lemma 10.7. Fix G' to he an arbitrary observation in {G, Gi,G 2 ,...}. Then, for every bivalent 
node N in TZ^ , exe{N) does not have a decision value in TZ^ . 


Proof. Fix TV be a bivalent node in 77^^ By Lemma 10.6, exe{N) has at most one decision value. 
For contradiction, let exe{N) have a decision value (say) v. Then, every descendant TV of V also 
has exactly one decision value v. However, since N is bivalent, some descendant TV of TV must have 
a decision value 1 — v. Thus, we have a contradiction. □ 


Applying Lemma [9.30| to the sequence Gi, G 2 ,..., we conclude the following. For each positive 
integer x, for each non-T node N in TZ^^ , for each positive integer x' > x, TZ^^' contains node N. 


Lemma 10.8. For each positive integer x, if a non-T node N is bivalent in TZ^^, then node N in 
7^g.+i 

is a non-T node and is bivalent. 
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Proof. Fix X and N as in the hypotheses of the lemma. Since N is bivalent, there exists some 
descendant of N in such that the decision value of exe{Ni) is 1, and there exists some 
descendant A^o of N in such that the decision value of exe(A^o) is 0. Applying Lemma 9.21, we 


know that there exist descendants iV^.i and such that decision value of exe(A^.i) is 1, and 
the decision value of exe(A^.o) is 0, and in the paths from N to and from N to there 

is no edge whose action tag is _L. In other words, and A^ g s-re non-_L nodes. 

Thus, in , the path from root to A, from root to A^,i, and from root to A^,o does not 
contain any edge whose action tag is T. Recall that Gx is a prefix of Gx+i- Applying Lemma 9.24 


we know that 7iP^+^ contains the non-T nodes A, A^.i, and A^,o- That is, node A in 7iP^+^ is 
bivalent. □ 


Corollary 10.9. For each positive integer x, if a non-1. node A is bivalent in , then for all 
positive integers x' > x, node A in TZ^=^' is a non-1. node and is bivalent. 


Proof. The Corollary is an inductive extension of Lemma 10.8 where the induction is on x' — x. □ 


Corollary 10.10. For each positive integer x, if a non-1. node A is bivalent in TZ^^, then N is a 
non-1. node and is bivalent in TZ^. 


Lemma 10.11. If a non-1. node A is bivalent in VP, then there exists a positive integer x such 
that N is a non-1. node and is bivalent in IZ^^. 


Proof. Fix A as in the hypotheses of the lemma. Since A is bivalent in TZ'^, there exist descendants 
Aq and Ai of A such that exe{No) has a decision value 0 and exe(Ai) has a decision value 1 in 
IZ^. 

Let do be the depth of node Aq in IZ^, and let di be the depth of node Ai in IZ^. Let d denote 
max(do) di). Since G is the limit of Gx as x tends to oo, we know that there exists a positive integer 
xi such that Gx^i contains vertices vnq and utvi- Since i is live in there exists a positive integer 
X 2 such that Gx 2 contains at least d vertices. Let x be max(xi,X 2 ), and therefore, both Gx^ and 
Gx 2 are prefixes of Gx. Therefore, Gx contains vertices xtvo and vnF therefore, Gx contains at least 
d vertices, and hence, the sequence of distinct non-(T, 0, T) vertex tags in the paths from the root 
to Aq and from the root to Ai in IZ^ is also a path in Gx. By Lemma 9.28, we know that Vp^ 
contains nodes A, Ai, and Aq. Furthermore, we conclude that A is bivalent in IZ^^. □ 


Corollary 10.12. For each non-1. bivalent node A in TZ'^, there exists a positive integer x such 
that for all positive integers x' > x, node A is non-1. bivalent in IZ'fi. 


Proof. Fix A as in the hypothesis of the corollary. From Lemma 10.11 , we know that there exists 
a positive integer x such that A is a non-T bivalent node in TZx- For any x' > x, we know that Gx 
is a prefix of Gx'. Applying Lemma 


9.24 


we conclude that A is a non-T bivalent node in TZ^,. □ 


Lemma 10.13. If a node A is univalent in Vp, then there exists a positive integer x such that for 
all positive integers P > x, node A is univalent in IZ^'"'. 


Proof. Fix A as in the hypotheses of the lemma. Let A be c- valent for some c G {0,1}. Let d be 
the smallest positive integer such that there exists some some descendant Ac of A in IZ^ such that 
Ac is at depth d and exe{Nc) has a decision value c. Since A is c-valent, we know that d exists. 

Let X be the smallest positive integer such that the following is true. (1) Gx contains the 
vertices vn and vn^. (2) For each location j that is live in tjj, Gx contains at least d vertices whose 
location is j. (3) For each location j that is not live in tu, the set of vertices of Gx whose location 
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is j is identical to the set of vertices of G whose location is j. Therefore, the sequence of distinct 
non-(T, 0, T) vertex tags in the paths from the root to Nc is also a path in Gx- 

Fix a positive integer x' > x. Recall that Gx is a prefix of Gx', and invoking Lemma 9.28, we 
know that contains nodes N, and Nc- 

Note that since N is c-valent in TZP, there exists no descendant N' of N such that exe{N') 

we know that TZP'"' does not 


9.25 


has a decision value (1 — c). By the contrapositive of Corollary 
contain any descendant N' of N such that exe{N') has a decision value (1 — c). By definition, N 
is c-valent in . □ 


10.5.2 Valence of nodes in TZp 

Now consider only the viable observation G. For every fair branch b in TZP , we know from Lemma 


10.4 that exe{b) has exactly one decision value. Since every node iV is a node in some fair branch 


b, we conclude the following. 

Lemma 10.14. Every node N in is either bivalent or univalent. 

Lemma 10.15. The root node T, ofTZ^, is bivalent. 

Proof. Let 11 = ii,i 2 ,. ■. ,in- Note that by construction there exists a pathpo = Envi^^fi, Envi^fl ,..., Envi^fl 


of edges from T. Let 6o be a fair path that contains po as its prefix. By Lemma 10.4, we know bo 


contains a single decision value. By Theorem 9.34, we know that there exists a fair trace to,5 of 
S such that trace{b) = to,s\act{s)\i‘ validity property we know that the decision value of 

trace{bo) must be 0. 

Similar to the above construction, there exists a path pi = Envi^^^i, Envi^^i,..., Envi.^^i of 


edges from T. Let bi be a fair path whose prefix is pi. By Lemma 10.4 we know bi contains a 


single decision value. By Theorem 9.34 we know that there exists a fair trace ti^s of S such that 
trace{bi) = h,s\act{s)\i' validity property we know that the decision value of trace{bi) must 

be 1. 

In other words, T contains two nodes Nq (in bo) and Ni (bi) such that exe{No) has a decision 
value 0 and exe{Ni) has a decision value 1. By definition, T is bivalent. □ 

Based on the properties of the /-crash-tolerant binary consensus problem, we have the following 
lemma. 

Lemma 10.16. For each node N in TZ^, if N is v-valent, then for every descendant N of N, N 
is also v-valent. 

Proof. Fix N and v as in the hypothesis of the lemma. Let N be an arbitrary descendant of N. 
By construction, every descendant of N is also a descendant of N. Since N is u-valent, for every 
descendant iV' of N, it not the case that 1 — u is the decision value of vn'] therefore, for every 
descendant N' of N, it not the case that 1 — v is th e decision value of vjy. Fix some fair branch b 
in TZ^ that contains the node N. By Lemma 


10.4 


we know that exe{b) has exactly one decision 
value. Let N” be a node in b that occurs after N such that exe{N") has a decision value. We have 
already established that this decision value cannot be 1 — u; therefore the decision value must be 
V. In other words, N is u-valent. □ 
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10.6 Gadgets 

Consider the system S, which consists of a distributed algorithm A, the channel automata, and 
the environment automaton Eq such that solves /-crash-tolerant consensus using D in £c- la 
this section, we define “gadgets” and “decision gadgets”, which are structures within TlP that 
demonstrate how executions of a system S evolve from being bivalent to becoming univalent. 

A gadget is a tuple of the form {N, I, E\ E'^) or {N, I, r, E\ E^, E''^), where is a node, I and r 
are distinct labels, E\ E'^^ E^, and E^^ are edges, such that the following properties are satisfied. 

1. E^ and E'^ are Z-edges of N. 


2. E'^ is an r-edge of N. 

3. E"^^ is an Z-edge of where iV” is the node to which E^ is the incoming edge. 


Let y be a decision gadget; Y, which is either of the form {N,1,E\E'^) or of the form 
{N, l,r, E\ E'^ , said to be a non-_L gadget if is a non-_L nodej^ 

A gadget is said to be a decision gadget iff the gadget is either a “fork” or a “hook”: Section 
10.6.1 defines a “fork” and establishes properties of a fork, Section 10.6.2 defined a “hook” and the 


establishes properties of a hook. In both cases, we show that a decision gadget must have what we 
call a “critical location”, which is guaranteed to be live in G. 


10.6.1 Forks 

In the tree TZ^ , a fork is a gadget {N, I, E\ E'^) such that the following are true. 
1. A^ is bivalent. 


2. For some v G {0,1}, the lower endpoint of E^ is u-valent and the lower endpoint of 
E'^ is (1 — u)-valent. 

Lemma 10.17. For every fork {N,l, E'', E'^) in TZ^, I G {FDj\j G 11}. 

Proof. Fix a fork {N,1,E\E'^) in TZ^. From the construction of TZ^, we know that for each label 
I' in T, node N has exactly one Z'-edge. For each label Z' in {FDj\j G 11}, node N has at least one 
Z'-edge. Therefore, Z G {FDj\j G 11}. □ 

Any fork {N, Z, E\E'^) in TZ'^ satisfies three properties: (1) the action tags a^i and a^fi are not 
T, (2) the locations of the action tags a^i and are the same location (say) i, and (3) location 
i, called the critical location of the hook, must be live in G. We prove each property separately. 

For the remainder of this subsection fix a fork {N,1,E\E'^) from TZ^,',we use the following 
convention from the definition of a fork: denotes the Z-child of N connected by the edge E ^, and 

N'^ denotes the Z-child of N connected by the edge E'^. 


Lemma 10.18. The action tags and are not T. 


Proof. Without loss of generality, assume, for contradiction, that the action tag a^i is T. From 
Lemma 10.17, we know Z G {FDj\j G 11}; fix a location i such that Z = EDi. From the definition 
of a fork we know that N has at least two EDi edges. From the construction of TZ^ , we know that 
an FDi-edge of N has an action tag T iff either G has no vertices whose location is i or vjsf has 
no outgoing edge in G to a vertex whose location is i. In both cases, N has exactly one FDi edge. 
However, this contradicts our earlier conclusion that N has at least two FDi edges. □ 


^°Recall that a node A is a non-_L node iff the path from T to node N in TZ^ does not contain an edge whose 
action tag is _L. 
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Lemma 10.19. The locations of the action tags a^i and a^n are the same. 


Proof. Note that for any label I', the actions associated with I' occur in a single location. Since 
and E'^ have the same label I, and from Lemma 10.18 we know that the action tags a^i and a^/e 
are not _L, we conclude that the location of a^i and must be the same location. □ 

Next, we present the third property of a fork. Before stating this property, we have to define a 
critical location of a fork. The critical location of the fork {N,l, E\ E'^) is the location of a^i and 
a^ie; from Lemma 10.19, we know that this is well-defined. 

Next, we show that the critical location of the fork {N,l, E\ E'^) must be live. We use the 
following helper lemma. 

Lemma 10.20. N'' N'^, where i is the critical location of {N,l, E\ E'^). 

Proof. By construction, the following is true of states of automata in system S. For each location 
X G n \ {f}, the state of the process automaton Ax is the same in states and c^/«; similarly, 
the state of the environment automaton Sc,x is the same in states and . For every pair of 
distinct locations x,y €ll, the state of the channel automaton Chaux^y is the same in states Cj^i 
and Cj^it. Therefore, we conclude that N'^. □ 

Lemma 10.21. The critical location of {N,1,E\E'^) is in live{G). 


we know that 
Note that N’' 


Proof. Let i be the critical location of {N,l, E\ E'^). Applying Lemma 10.17 we conclude that I is 
EDi. Since and are f-children of N, we note that the states of all automata in system S in 
states Cjyi and C]^,e are the same, except for the state of the process automa ton at i. Recall that 
and are the vertex tags of and respectively. From Lemma 10.1^ 
the action tags a^i and are not T. Therefore, and Vj^n are vertices in G 
is u-valent for some v G {0,1} and N'^ is (1 — n)-valent. In order to show that i is in live{G), we 
have to show that G contains infinitely many vertices whose location is i. 

For contradiction assume that the critical location i of {N,l, E\ E'^) is not in live{G). Then 
by definition, G contains only finitely many vertices whose location is i. Recall that G is a viable 
observation of D such that at most / locations are not live in G. Since / < n, we conclude that at 
least one location is live in G. Fix such a location j. 


From Lemma 8.3 we know that there exists a positive integer k such that for every positive 


integer k' > k, there is no edge from any vertex of the form (j, k',*) to any vertex whose location 
is i. Fix such a positive integer k, and fix the corresponding vertex [j, k, *). 

we know that there exists a positive integer k' > k such that there are 


From Lemma 8.2 


outgoing edges from Vj.^i and to a vertex (j, k', *); fix such a vertex vi = (j, k', e'). 

From the construction of 77*^, we know that there exist THj-edges E^^^ and E'^^i from 
and N'^, respectively, whose action tag is e' and vertex tag is vi. Let and be the 

FDj-children of and respectively, connected to their parent by edges E^^j and E'^^p 
respectively. By construction, 


= Vj^,FD^ 


= Vl. 


By Lemma 10.20 we know that N'^. Since the action tags of E^^^ and E'^^^ are the 


same, we conclude that the states of all automata in system S in states Cj^fd^ and c^j/fd^ are the 


-N'- 


same, except for the state of the process automaton Aj. Therefore, We have 

already established that v^fd^ = Vj^ifdj = vi, and there are no outgoing edges from vi to vertices 
whose location is i. Thus, by definition, and are post-cras/ij nodej^ 


^Recall from Section 


9.5 


I that a node is a post-crashi node if the following property is satisfied. If vn = (-L, 0, _L), 
then there are no vertices in G whose location is i. Otherwise, there are no outgoing edges in G from vn to any 
vertex whose location is i. 
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Recall that is t>-valent and is (1 — z;)-valent. Therefore, applying Lemma 


10.16 


we know 

that is u-valent and is (1 — r;)-valent. Let 6 be a fair branch of TZ^ that contains nodes 

N, and . _ 

Since N is bivalent, from Lemma 10.7, we know that exe{N) does not have a decision value. 
Since I is FDi, we know that exe{N^) and exe{N^^^) do not have decision values. From Lemma 


10.4 we know that exe{b) has exactly one decision value, and since is u-valent, the decision 

value is v. That is, there exists an edge E"" and a node such that E'^ occurs in b after , 

aE^ is decide{v)j, and N'" is the node that precedes E"^ in b. 

Since and are post-cras/ij nodes, 


r/FDi 


we apply Theorem 9.23 to conclude that there exists a descendant of such 

that N'^ ~j From the definition of we know that the state of the process automaton 

at j is the same in cn-<^ and Since the action = decide{v)j is enabled at the process 

automaton at j in state catk, we know that action decide{v)j is enabled in state cei-v. Therefore, 
the Procj-child of has a decisi on valu e v. However, since is (1 —u)-valent and 

is a descendant of , by Lemma 


10.16 


we have contradiction. 


we know that is (1 — u)-valent. Thus, 

□ 


10.6.2 Hooks 

In the tree 77^, a hook is a gadget {N, I, r, E^E'", E^^) such that the following is true. 

1 . Ai is bivalent. 

2. For some v G {0,1}, the lower endpoint of E^ is u-valent and the lower endpoint of 
E'^^ is (1 — u)-valent. 

3. oe^ 7^ T. 

Any hook {N,l,r, E\ E^, E^^) in TZ^ satisfies three properties. (1) the action tags of Oei and 
oe’’ cannot be T, (2) the locations of the action tags 0^; and ogr must be the same location (say) 
i, and (3) location i, called the critical location of the hook, must be live in G. We prove each 
property separately. 

For the remainder of this subsection, fix a hook {N, I, r, E^E"^, E'"^) in TZ^; we use the following 
convention from the definition of a hook: denotes the Achild of N connected by the edge E\ 

denotes the r-child of N connected by the edge E^, and denotes the Achild of connected 
by the edge E'^K 


Lemma 10.22. The action tags Oei and oe’- are not T. 


Proof. From the definition of a hook, we know that oe^ ^ E. It remains to show that Uei T- 
For contradiction, assume a^i is T. Then, by construction, cn = Cj^i and vn = vn>- Recall 
that N is bivalent and its descendant is (1 — r;)-valent. From the definition of valence, we know 
there exists a descendant of (and therefore a descendant of N) such that the decision 

value of exe(A’(i_^)) is 1 — u. 

of such 


Applying Lemma 9.19 to N and N\ we know that there exists a descendant 


that the suffix of exe(A/'^_^^) following exe{N^) is identical to the suffix of exe(A'(i_^)) following 
exe{N). Since exe{N) is bivalent, by Lemma [l0.7| it does not have a decision value; it follows that 
some event in the suffix of exe(A’(i_^)) following exe{N) must be of the form decide{l — v)i (where 
i G n). Therefore, the decision value of exe(A’^*^_^p is 1 — u. But since is u-valent, we have a 
contradiction. □ 
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Lemma 10.23. The locations of the action tags a^i and are the same. 


Proof. For the purpose of contradiction, we assume that the location i of the action tag a^i is 
different from the location j of the action tag a^r-; that is, i ^ j. This assumption implies 
that I G {FDi, Proci} U {Chunk,i\k £ n \ {*}} U {Envy,i\v G {0,1}} and r G {FDj, Procj} U 
{Chankj\k G IT \ {j}} U {Envy,j\v G {0,1}}. From Lemma 
both enabled actions in state cat. 

A simple case analysis for all possible values of I and r (while noting that i ^ j) establishes 
the following. Extending exe{N) by applying a^i followed by ue^ will yield the same final state 
as applying aE^, followed by to exe{N). Intuitively, the reason is that and oe^ occur 
at different locations, and therefore, may be applied in either order to exe{N) and result in the 
same final state. The above observation implies that has an r-edge whose action tag a^ir 
is the action oe^', let iV^'’ be the r-child of connected by E^''. Observe that Cjvzr = c^iri and 


10 .22, we know that a^z and a^r are 


Vj\jlr — VJ\[rl . 

Recall that since {N, I, r, E^E"^, E^^) is a hook, is u-valent and is (1 — u)-valent for some 
V G {0,1}. Since is a descendant of N\ by Lemma 

descendant of such that exe{Njf') has a decision value v. Applying Lemma 


is also u-valent. Let Njf' be a 
we know that 


9.19 


there exists a descendant Nf'' of such that c^r^r = Cj^ri and the suffix of exe{N!f) following 
exe{N^^) is identical to the suffix of exe{Nf^) following exe{N^^). 

Note that since N is bivalent, by Lemma 10.7, exe{N) has no decision value. 

Claim 1. a El is not a decide action. 


Proof. For contradiction, assume a^z is a decide action. Since exe{N^) contains the event a^z 
and exe{N^) is u-valent, it follows that Uei is a decide{v) action. However, recall that a^rz = Uei, 
exe{N^^) contains the event a^rz; therefore, exe{N^^) contains a decide{v) event. However, exe{N^^) 
is (1 — u)-valent. Thus, we have a contradiction. □ 


Claim 2. oe^ is not a decide action. 


Proof. Similar to the proof of Claim 1. □ 

From Claims 1 and 2, we know that for each of N^s Ledge, N^s r-edge, r-edge, and A^^’s 
/-edge, their action tags cannot be a decide. Therefore, since exe{N!f) has a decision value v, the 
suffix of exe{N{f ) following exe{N^^) contains an event of the form decide{v). In other words, the 
suffix of exe{Nf^) following exe{N^^) contains an event of the form decide{v). However, this is 
impossible because is (1 — u)-valent. □ 


Next, we present the third property of a hook. Before stating this property, we have to define 
a critical location of a hook. Given the hook {N,l,r, E\ E"^, E^^), the critical location of the hook 
is the location of Qei and a^r-; from Lemma 10.23[ we know that this is well-defined. 


Lemma 10.24. The critical location of {N,l,r, E\ E^, E^^) is in live{G). 


Proof. Note that is r-valent for some v G {0,1} and is (1 — r)-valent. Let i be the critical 
location of the hook {N,l,r, E\ E^, E^^). In order to show that i is in live{C), we have to show 
that C contains infinitely many vertices whose location is i. 

For the purpose of contradiction, we assume that C contains only finitely many vertices whose 
location is i. Recall that G is a viable observation of D such that at most / locations are not live 
in C. Since / < n, we conclude that least one location is live in G. Fix such a location j. 
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From Lemma 8.3 we know that there exists a positive integer k such that for each positive 
integers k' > k, there is no edge from any vertex of the form (j, k', *) to any vertex whose location 
is i. Fix such a positive integer k, and fix the corresponding vertex [j, k, *). 

Next we fix a vertex vi in G such that, roughly speaking, the event e” of vi is an event at j and 
“occurs” after the events of vn, VNh ^Nn and after location i is “crashed”; precisely, vi is fixed 
as follows. Let V' heV r\ {uat, that is, V is the maximal subset of {utv, such 

that each vertex in V' is a vertex of G. If V' is non-empty, then from Lemma |8.2[ we know that 
there exists a positive integer k' >k such that there are outgoing edges from each vertex in V' to 
a vertex (j, k', *); fix ui to be such a vertex (j, k', e'). If V is empty, then fix ui to be any vertex 
in V of the form (j, k',e'), where k' > k. 

From the construction of , we know that there exist FDj-edges E^'^^G and 

from N, and respectively, whose action tag is e' and vertex tag is vi. Let 
and be the FZDj-children of N, and respectively, connected to their parent by 

edges E^^E and E^^'^^E respectively. By construction, v 

See Fig. [^for reference. 

Also recall that in G there is no edge from the vertex of the form (j, k, *) to any vertex whose 
location is i, and since E > k, we know that is no edge from ui to any vertex whose location is i 
Therefore, N^^E 




= Vj^rl-FDj = Vl- 


and are post-crashi node: 


12 



Figure 2: This hgure shows how the nodes N^^E N^'^^E and are determined in the proof 

of Lemma 110.241 


Note that by construction, the following is true of states of automata in system S. For each 
location x G 11 \ {i}, the state of the process automaton is the same in states c^fd^ , c^i fd^ , 
and Cj^ri FDj ; similarly, the state of the environment automaton Sc,x is the same in states c^fd^ , 
Cj^i-FDj, and Cj^ri-FDj. For every pair of distinct locations x,?/ G 11 \ {z}, the state of the channel 


^Recall from Section 


9.5 


I that a node N is a post-crashi node if the following property is satisfied. If vn = (-L, 0, _L), 
then there are no vertices in G whose location is i. Otherwise, there are no outgoing edges in G from vn to any 
vertex whose location is i. 
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automaton Chaux^y is the same in states c^fd 


■j , Cj^l FD 


-, and c^ri-FDj ■ 


Finally, for every location 
from i to X in state Cj^fd^ 
Therefore, 


and in state c^ti-fd^ 


X G n \ {i}, the messages in transit in the channel automaton Charii^ 
is a prefix of the messages in transit in Chani^x in state c^i-i 
we conclude that j^fd^ j^n-FDj ^ 

Recall that is u-valent and is (1 — u)-valent. Therefore, applying Lemma 10.16, we know 
that is u-valent and is (1 — u)-valent. Also recall that N is biv alent. 

Let 6 be a fair branch of TZ^ that contains nodes N and By Lemma 10.4 we know that 


9.23 


we know that there exists a descendant of 


exe{b) has exactly one decision value (say) v'] note that either v' = v ox v' = 1 — v. We consider 
each case. 

Case 1. v' = V. There exists an edge Ey in b such that, the action tag of Ey is decide{v)j. Let 
Ny be the node preceding Ey in b. Note that Ny is descendant of Recall that and 

J^rl-FD, 

are post-crashi nodes. By Theorem 

j^rlFD, jyv 

From the definition of we know that the state of the process automaton at j is the same in 
cati) and Cj^ri. Since the action = decide{v)j is enabled at the process automaton at j in state 
cNvj we know that action decide{v)j is enabled in state Cj>^ri. Therefore, the Procj-child Ny^ of 
Ny^ has a decision value v. However, since is (1 — u)-valent and Ny^ is a descendant of N'^^, by 
16, we know that is (1 — u)-valent. Thus, we have a contradiction. 

Case 2. v' = 1 — v. This is analogous to Case 1 except that we replace with . □ 


Lemma 


10.6.3 Decision Gadgets 

Recall that a decision gadget is a gadget that is either a fork or a hook. We have seen that both 
forks and hooks contain a critical location that must be live in G. Thus, we have seen that if a 
tree TZ^ contains a decision gadget, then we know that the critical location of that decision gadget 
must be live in G. 


10.7 Existence of a Decision Gadget 

The previous subsection demonstrated interesting properties of decision gadgets in TZ^. However, it 
did not demonstrate that TZ^, in fact, does contain decision gadgets. We address this here. Recall 
that G is viable for D, and at most / locations are not live in G. 

Lemma 10.25. There exists a bivalent node N in tree TZ^ and a label I such that for every 
descendant N of N (including N), every l-child of N is univalent. 

Proof. For contradiction, assume that for every bivalent node N in the tree TZ^, and every label 
I £ L, there exists a descendant iV of iV, such that some /-child of N is bivalent. Therefore, from 
any bivalent node N in the tree TZ^, we can choose any label I and find a descendant N' of N such 
that (1) N' is bivalent, and (2) the path between N and N' contains an edge with label 1. 


Recall that the T node is bivalent (Lemma 10.15). Applying Lemma 9.2, we know that each 
node in TZ^ has an /-edge for each label / G TU {PDi\i G H}. Thus, by choosing labels in a round- 
robin fashion, we can construct a fair branch b starting from the T node such that every node in 
that branch is bivalent. Fix such a b. We will use b to get a contradiction to the fact that the 
distributed algorithm A solves /-crash-tolerant consensus, using D. 

we know that there exists a fair trace ts of S such that trace{b) = ts\act{s)\i 


By Theorem 


9.34 


and G Tn. Since trace(6)|oo = / 5 I 00 and /^I/uOd ^ know that at most / locations 

are not live in ts; therefore, ts\ipUOp satisfies /-crash limitation. Let a be a fair execution of 
S whose trace is ts. Since ts\ipuOp satisfies /-crash limitation, a\ipuOp also satisfies /-crash 
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limitation. Invoking Lemma 10.3, we know that a has exactly one decision value. Since trace{b) = 
ts\act{s)\i^ and ts is the trace of a, we know that trace{b) has exactly one decision value. In other 
words, exe{b) has exactly one decision value. Therefore, there exists a node in 6 such that exe{N) 
has a decision value. However, this contradicts our conclude that every node in b is bivalent. □ 

Lemma 10.26. There exists a bivalent node N in tree TlP, a descendant N of N (possibly N 
itself), a label I, and v G {0,1} such that (1) for every descendant N' of N, each l-child of N' is 
univalent, (2) some l-child of N is v-valent, and (3) some l-child of N is (1 — v)-valent. 


Proof. Invoking Lemma 10.25 we fix a pair {N, 1) of node N and label I such that (1) N is bivalent. 


and (2) for every descendant N of N (including N), every /-child of N is univalent. Let an /-child 
of N be u-valent for some v G {0,1}. Since N is bivalent, there must exist some descend ant N of 
N such that exe{N) has a decision value (1 — u); that is, is (1 — u)-valent. By Lemma 
follows that any /-child of A^ is (1 — u)-valent. 


10.16 


it 

□ 


Lemma 10.27. There exists a bivalent node N such that at least one of the following holds true. 
(1) There exists a label I and a pair of edges and E'^ such that {N, /, E\E'^) is a fork. (2) There 
exist a pair of labels l,r and edges E\E^, and E^^ such that {N,l,r, E\ E"^, E'^^) is a hook. 


Proof. Applying Lemma 


10.26 


we know that there exists some node N in tree TiP, a descendant 


10.26 


is univalent. 


N of N, and a label / such that (1) N is bivalent, (2) for every descendant iV' of N, every /-child 
of N' is univalent, (3) some /-child of N (denoted uni{N)) is u-valent, where v G {0,1}, and (4) 

some /-child of N (denoted uni{N)) is (1 — u)-valent. 

Extend the path from N to N to uni{N) yielding a path w. Let E be the first /-edge on w, 
let M be the upper endpoint of E, and let be the lower endpoint of E. Thus, the path from 
N to M does not contain any /-edge. Note that following: (1) uni{N) is a descendant of N and is 

(1 — u)-valent, (2) N is either M or a descendant of M\ and (3) by Lemma 
Thus, we conclude that is (1 — u)-valent. See Figure]^ for reference. 

Note that for each node N' from N to M, each /-child N'^ of is univalent. Recall that uni{N), 
which is an /-child of N is u-valent and M\ which is an /-child of M, is (1 — u)-valent. Therefore, 
there exists a label r and an r-edge E^ from a node A^ to a node in the path from N to M 
(inclusive) such that some /-child of N is u-valent and some /-child of is (1 — u)-valent. 
Let E''^ denote the edge connecting N'' and N''K (See Figure]^) 

We consider two cases: (1) oe^ p T, and (2) a^r = T. 

(1) If ogr / T, then by definition, (A^, /, r, E\E^, E^^) is a hook. 

(2) Otherwise, ogr = T; therefore, cn = cn^ and vn = vm^- Applying Lemma 9.18, we know 

that there exists an /-child N'^ of N such that = c^vi and = Ujyro Since N''^' is (1 — v)- 
valent, N'^ is also (1 — u)-valent. In other words, N has two /-children and N'^, and is 
u-valent and N'^ is (1 — u)-valent. Thus, (A^, /, E\ E'^) is a fork, where E'^ is the edge from N to 
N'^. □ 

Thus, we arrive at the main result of this section. 

Theorem 10.28. For every observation G that is viable for D such that live{G) contains at least 
n — f locations, the directed tree TZ^ contains at least one decision gadget. For each decision gadget 
in TZ^, the critical location of the decision gadget is live in G. 


Proof. Fix G. From Lemma 10.27 we know that TZ^ has at least one decision gadget. For each 


decision gadget that is a fork, from Lemma 10.21 we know that the critical location of that decision 
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Figure 3: Construction that shows the existence of a 

fUTTfl 


‘fork” or a “hook” in the proof for Lemma 


gadget is live in G, and for each decision gadget that is a hook, from Lemma 10.24 we know that 
the critical location of that decision gadget is live in G. □ 

Theorem 10.29. For every observation G that is viable for D such that live{G) contains at least 
n — f locations, the directed tree TZ^ contains at least one non-F decision gadget. 


Proof. Fix G. From Theorem 


10.28 


we know that IZ^ contains at least one decision gadget. Fix T 


to be such a decision gadget. Let node N be the first element in the tuple Y. Applying Corollary 


9.21, we know that there exists a non-_L node such that exe{N) = exe(iV'), vn = vn'- Applying 


Lemma 9.20 to the descendants of N and we know that there exists a non-_L decision gadget 
Y' whose first element is N_^. □ 


Theorem 10.29 establishes an important property of any strong-sampling AFD that is sufficient 
to solve consensus. It demonstrates that in any fair execution of a system that solves consensus 
using an AFD, some prefix of the execution is bivalent whereas eventually, a longer prefix becomes 
univalent. The transition from a bivalent to a univalent execution must be the consequence of an 
event at a correct location. 


10.8 Decision gadgets for execution trees in a convergent sequence of observa¬ 
tions 

Recall that G is a viable observation of D such that at most / locations are not live in G; G To 
is a a trace that is compatible with D. Finally, Gi, G 2 , G 3 ,... is a sequence of observations that 
converge to G. Next we show the “persistence” of non-_L decision gadgets across the sequence of 
execution trees 7Z ^^, TZ ^'^, TZ '^^,.... 

Lemma 10.30. Let Y be a non-L decision gadget in TZ^. There exists a positive integer x such 
that for all positive integers x' > x,Y is a non-L decision gadget in TZ^^'. 
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Proof. Fix Y to be a non-_L decision gadget in . We consider two cases: (1) y is a fork, and (2) 
y is a hook. 

Case 1. Let y be a fork in . Let be the £-child of N whose incoming 

edge is E^, and let N'^ be the £-child of N whose incoming edge is E'^. Let be c-valent, and let 
N'^ be (1 — c)-valent for some c G {0,1}. 

Invoking Corollary |10.12 


we know that there exists a positive integer Xf, such that for all 


x' > Xb, is a non-_L bivalent node in . Invoking Lemma 10.13 we know that there exists a 
positive integer Xu such that for all x' > Xu, is c-valent and N'^ is (1 — c)-valent in . Let 
X = max(xfc,x„). By construction, for each x' > x, y is a non-_L fork in . 

Case 2. Let y be a hook {N,£,r, E^, E^, E^^) in TZ^°°. Let be the £-child of N whose 
incoming edge is E^. Let be the r-child of N whose incoming edge is Let be the ychild 
of whose incoming edge is E^^. Let be c-valent, and let be (1 — c)-valent for some 
CG{0,1}. 

Invoking Corollary [10.12 


we know that there exists a positive integer Xb such that for all 


x' > Xb, N isa non-_L bivalent node in TZ^^'. Invoking Lemma 10.13, we know that there exists a 
positive integer Xu such that for all x' > Xu, is c-valent and is (1 — c)-valent in TZ^^'. Let 
X = max(x;,,Xu). By construction, for each x' > x, y is a non-_L hook in TZ^^' . □ 

Lemma 10.31. For each gadget Y in TZ^ that is not a non-Y decision gadget, the following is 
true. There exists a positive integer x such that for all positive integers x' > x, Y is a gadget in 
TZ^^' , but Y is not a non-Y decision gadget in TZ^^' . 

Proof. Fix y as in the hypotheses of the lemma. Since y is a gadget in TZ^, by construction, there 
exists a positive integer xn such that for all positive integers x'^ > xat, y is a gadget in 7^ . 

We consider two cases: (1) y is a tuple {N, £, E^, E'^), and (2) y is a tuple {N, i, r, E^, E"^, E^^). 
Case 1. y is a tuple {N,i, E^, E'^). Let and be the nodes to which E^ and N'^ are the 
incoming edges, respectively. Since Y is not a non-_L decision gadget, one of the following is true: 
(1) the path from root to N contains an edge with _L action tag, (2) N is univalent, or (3) at least 
one of and N'^ is bivalent in TZ^. 


If the path from root to N contains an edge with _L action tag, then by Lemma 9.28, we know 
that exists a positive integer xn such that for every positive integer x'^ > xn, the path from root 


G t 

to N contains an edge with _L action tag in 7^ . Therefore, Y cannot be a non-T decision gadget 

in . 

If N is univalent in TZP, then by Lemma 10.13, we know that there exists a positive integer xat 

such that for every positive integer x^ > xat, A" is univalent in 7^ “"v. Therefore, for any positive 

G / 

integer x'^y > xn,Y cannot be a decision gadget in 7^ . 

If (or N'^, respectively) is bivalent in TZ^°°, then by Corollary 


10.12 


we know that there a 


positive integer x > xn such that for all positive integers x' > x, node (or N'^, respectively) is 
bivalent in TZ^^' , and consequently, Y is not a decision gadget in TZ^^'. 

Thus, if y is a tuple {N, £, E^, E'^), then there exists a positive integer x such that for all positive 
integers x' > x, y is a gadget in TZ^^', but Y is not a non-T decision gadget in TZ^^'. 

Case 2. y is a tuple {N,i,r,E^,E^,E'~^). Let be the node to which E^ is the incoming 
edge. Let be the node to which E^^ is the incoming edge. Since Y is not a decision gadget, 
one of the following is true: (1) the path from root to N contains an edge with T action tag, (2) 
N is univalent, or (3) at least one of and is bivalent in TZ^. 


If the path from root to N contains an edge with T action tag, then by Lemma 9.28, we know 
that exists a positive integer xjy such that for every positive integer x'^ > xn, the path from root 
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to N contains an edge with _L action tag in TZ 
in . 




jv. Therefore, Y cannot be a non-T decision gadget 


If N is univalent in TZ^, then as in Case 1, by Lemma 


10.13 


we know that there exists a positive 
G f 

integer xn such that for every positive integer x'j^ > xn, ZV is univalent in 7^ Therefore, for 

any positive integer > xn,Y cannot be a decision gadget in 7^ . 

Similarly, if (or respectively) is bivalent in TZ^, then as in Case 1, there exists a positive 
integer x > xn such that for all positive integers x^ > x, (or respectively) is bivalent in 
TZ^^' , and Y is not a decision gadget in TZ^^'. 

Thus, if y is a tuple {N, £, r, E^, 7?'’, E^^), then there exists a positive integer x such that for all 
positive integers x' > x, T is a gadget in TZ^^', but Y is not a non-T decision gadget in TZ^^'. □ 


10.9 Ordering the Decision Gadgets. 

In this subsection, we show that a “first” decision gadget exists in TZ^. However, to define the 
“first” decision gadget, we first define a metric function in four steps: (1) We order the elements 
in each of the following sets: H U {T}, and T U {FDi\i G H}. (2) We order the vertices in G. (3) 
We use the aforementioned orders to define a metric function for each node N in TZ^ and for each 
edge outgoing from N. (4) Finally, we define the metric function for each gadget. 

Ordering the elements in H U {T}. Recall that the locations in H are totally ordered by the 
<n relation. For simplicity, we assume that H is the set of integers in [l,u] and T = 0. Thus, 
n U {T} is totally ordered by the < relation. 

Ordering the elements in T U {EDi\i G H}. Informally, we order T U {EDi\i G H} as follows. 
Proci, Proc 2 , ■ ■ ■, ProCn, Envifl, Envi^i ,..., EnVn,o, Envn,i, Chani^ 2 , Chani ^^,..., 

Chani^n, Chan2,i,Chan2,3, ■ ■ ■, Chann,n-i, FDi, FD 2 ,, FDn- 

Formally, we define m : T U {FDi\i G H} —)• [l,n^ + 3n] to be a mapping from all the labels 
in TZ^ to the set of integers in [l,n^ + 3n] as follows. For each element I in T and each element 
I' in {FDi\i G H}, m{l) < Note that T consists of n Proc^ tasks, 2n Env^^^ tasks, and 

n(n — 1) tasks. For each Proc^ task I, each Env^^^ task I' and each Chan^^^ task V, 

m{l) < m{l') < 

For each location i, recall that we assume i G [l,ra]. For a Proci task, m{Proci) = i. For an 
Envifl task, m{Envifi) = n + 2i — 1, and for an Envi^i task, m{Envifl) = n + 2i. For a Chariij 
task, m{Chanij) = 3n + n{i — 1) + j- It is easy to see that m is a bijection from T to [1, v? + 2n]. 
We define the mapping from {FDi\i G H} as follows. m{FDi) = + 2n + z. Therefore, m is a 

bijection from T U {FDi\i G H} to [l,n^ + 3n]. Thus, the tasks in T U {FDi\i G H} are totally 
ordered by the range of m and the < relation on integers. 

Based on ordering the elements in T, we can order any pair of distinct sequences of labels by 
their lexicographic ordering. 

Ordering vertices in G. We order the vertices (i, k, e) in G first by their index k, and break 
the ties among vertices with the same index by their location i. We define a mapping m : V U 
{(T,0, T)} —>■ N, where G = {V, Z) as follows. Note that for any vertex v = {i,k,e), there are 
potentially infinitely many vertices in G with the same location i and at most n vertices in G whose 
index is k. Based on the above observation, we order all the vertices G by defining m{v) = kxn + i, 
where v = {i,k,e)] note that by this definition, m((T,0,T) = 0 and for any v G V, m{v) > 0. 
Thus, the vertices in V are totally ordered by the range of m and the < relation on integers. 
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Ordering outgoing edges from each node in TiP. Fix any node N in TiP. We define a total 
order over the set of edges outgoing from N as follows. Note that N has exactly one outgoing edge 
for each label in T, and potentially infinitely many outgoing edges for each label in {FDi\i G 11}. 
Also note that | {FDi\i G 11} | = n. By Lemma 9.7 we know that for each outgoing FDi-edge, 
where i is a location, its vertex tag is distinct from the vertex tag of all other FDi edges. Therefore, 
for a given vertex tag, there can be only finitely many outgoing edges from N: there is at most 
one outgoing FDi edge for each location i with a given vertex tag, and there is at most one Ledge 
outgoing from N for any non-FD label 1. It follows that there is at most one outgoing edge from 
N for a given vertex tag and task label. 

Thus, we first order all the edges by their vertex tags, and for a given vertex tag, we order all 
edges with the same vertex tag by their task label. Formally, this ordered is captured by the metric 
function m for the outgoing edges E from any node N\ m{E) = (m{vE),m{lE))- 

Note that the range of m is N x N. The lexicographic ordering of the range of m induces a total 
order on outgoing edges from each node in TZ^. 


Ordering all the non-T nodes in TiP . Recall that each non-T node N in TZ^ can be uniquely 
identihed by the sequence of labels from T to and the sequence of distinct vertex tags in the path 
from T to N. Also, note that nodes that contain a T action tag in the path from T to A^ cannot 
be uniquely identified using the above information. However, for our purposes, it is sufficient to 
order non-T nodes. 

Fix a non-T node N' in TZ^ . Let (1^' denote the depth of the node, and let kjqi denote the 
index of uat/; that is, ve' = (*, *), where Lat/ G N. Let Ej ^,,..., Ej^' denote the sequence 

of edges in the path from T to N'. We dehne the metric function for each node N in TZ^ as follows: 
m{N) = {dN+ kN,m{E%),m{Ejf),...,m{Efj^)). 

Thus, given two nodes N and N' in 77^, we say that N is ordered before N' if either of the 
following is true. 


• d]s[ + kjsf < d]\f/ + kjy/. 

• Assuming djsf + k^ = d^/ + Lat', let x be the smallest integer such that at least one of Ef^ 
and E^, exists, and if E^, also exists, then Ep p I^n'- Then, m{Eff) < m{E^). Informally, 
N is ordered before N' if the sequence of edges from T to A^ is lexicographically less than the 
sequence of sequence of edges from T to W. 


Next, we show that the metric function m imposes a total order on the non-T nodes in TZ^, 
and there exists a node with the minimum metric value among all the nodes in TZ^. In Lemma 
10.32, we show that distinct non-T nodes must have distinct metric values, which implies that the 


metric function m establishes a total order over all the non-T nodes in TZ^ (Lemma 10.33). By 
implication, m establishes a total order over any non-empty subset of non-T nodes in 77*^^(Corollary 
10.34). In Lemma 10.36 we show that for any non-T node N there are only finitely many nodes 
whose metric value is lexicographically smaller than the metric value of N (we use Lemma 10.35 as 


a helper lemma to prove this). Corollary 10.37 immediately follows from Lemma 10.36 Corollary 
10.37 states that in any non-empty subset of non-T nodes in 77*^, for each node N, there are only 


finitely many nodes with a smaller metric value. Lemma 10.33 and Corollary 10.37 together imply 
Corollary 10.38, which states that any non-empty subset J\f of non-T nodes in 77^ contains a unique 
node with the minimum metric value. 


Lemma 10.32. For any pair N, N' of distinct non-E nodes in 77^, m{N) p m{N'). 
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Proof. Fix N and N' as in the hypothesis of the lemma. For contradiction, assume m{N) = 
m{N'). Therefore, the sequence of labels in the path from T to and from T to N' are identical 
(consequently, both N and N' are at the same depth), and vm = vj^'. Invoking Lemma 9.16 
know that N = N'. This contradicts the hypothesis that N and N' are distinct. 


we 

□ 


Lemma 10.33. The non-l. nodes in TlP are totally ordered by their metric function m. 


Proof. By Lemma 


10.32 


we know that each non-T node in has a distinct metric value. By 


definition the range of the metric function m of nodes in TZ^ are totally ordered (by lexicographic 
ordering). Therefore, the non-T nodes in TZ'^ are totally ordered by their metric value. □ 

Corollary 10.34. For any non-empty subset M of non-1. nodes in TZ^, the nodes in Af are totally 
ordered by their metric function m. 


Proof. Follows from Lemma 10.33 


□ 


Lemma 10.35. For any non-F node N in TZ'^, there are only finitely many nodes N' such that 
d]\f' -\- kj\fi < d]\f -\- k]sf. 

Proof. We use the following two claims to prove the main lemma. 

Claim 1. For any vertex v in G, there are only finitely many paths in G that end with v. 

Proof. Fix a vertex v = {i, k, e) in G. For contradiction, assume that G contains infinitely many 
paths ending in v. Therefore, there are infinitely many vertices v' in G such that there is a path 
from v' to V. By the transitive closure property of G, it implies that there are infinitely many 
vertices v' such that there is an edge in G from v' to v. This contradicts Lemma 8.4 □ 


Claim 2. For any pair of positive integers d and k, there are only finitely many nodes N” such 
that d]y/i = d and fejv" = k. 

Proof. Fix d and k. By construction of G, there are at most n vertices v of the form (*, k, *) in G; 
let V be the set of all such vertices. For each v £ V, hy Claim 1, there are only finitely many paths 
p in G that end with v; let P denote all the paths in G that end with some vertex in V. For each 
p £ P, there are only finitely many sequences p' of length d consisting of only the vertices in p; let 
P' denote the set of all sequences over the vertices in some p £ P. Note that P' is finite. 

Let L be the set of all sequences of length d over T U {FDi\i £ 11}. Note that L is finite. 

For each non-T node N” in TZ'^ such that di<j" = d and k^" = k; let e^" denote the sequence 
of edges from T to N". By Lemma 9.17, we know that the projection of e^r// on the sequence of 
vertex tags and labels is unique, and by construction, this projection is an element of P' x L. Since 
P' and L are finite, we conclude that there are only finitely many nodes N" such that d^/f = d and 
fejv" = k. □ 

Fix a non-T node N in TZ^. Let dk = dpf + k^. We apply Claim 2 for all values of d and k, 
where d is in [0, dk] and k is in [0, dA: — d], respectively, to conclude that there are only finitely many 
nodes N' such that djv' + A:jv' < d]\} + k^. □ 

Lemma 10.36. For any non-F node N in TZ^, there are only finitely many non-F nodes N' such 
that m{N') < m{N). 

Proof. Fix N as in the hypothesis of the lemma. Recall that the first element in m{N') of any node 
N' is dN’ Fk^i. Therefore, for any non-T node N' such that m{N') < m{N), dj^i T/cw' < dN + k^. 


Invoking Lemma 10.35 we know that there are only finitely many nodes N' such that djv' + T 

djv + kM. Therefore, there are only finitely many non-T nodes N' such that m{N') < m{N). □ 
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Corollary 10.37. For any non-empty subset M of non-1. nodes in TZ^, for any non-F node N in 
N, there are only finitely many non-1. nodes N' € M such that m[N') < m{N). 


Proof. Follows from Lemma 10.36 


□ 


Corollary 10.38. For any non-empty subset J\f of non-1. nodes inTZ^, there exists a unique non-1. 
node N G M such that for all N' G M\ {A^}, m{N) < m{N'). 


Proof. Fix AA as in the hypothesis of the corollary. For contradiction, assume that for every node 
N G M, there exists a node N' G Af such that m{N') < m{N). By Corollary 10.34, we know 
that the nodes in Af are totally ordered by their metric value. Therefore, for any node N G Af, 
there must exist an infinite number of nodes N' G Af such that m{N') < m{N). However, this 
contradicts Corollary |10.37[ □ 


10.33 


we know that the metric function m for 


Ranking non-T nodes in TZ^. From Lemma 
non-T nodes establishes a total order over the set of non-T nodes in TZ^. By Corollaries 10.37 and 


10.38, we map the non-T nodes to the set of natural numbers by a function rank defined as follows. 


Let Af^ be the set of all non-T nodes in 77^. For any non-negative integer x, if is node with 
the x-th smallest metric value among the nodes in Af^, then rank{Nx) = x. 

This notion of “rank” is used to define the metric value of non-T gadgets. 


Metric value of non-T gadgets. Given a non-T gadget of the form {N, I, r, E\ E'^, E^^), it can 
be uniquely identified by N, and where is the lower endpoint of E^ and is the lower 
endpoint of E'^K Similarly, given a non-T gadget of the from {N,l, E^, E'^), it can be uniquely 
identihed by N, and where is the lower endpoint of E^ and is the lower endpoint of 
E'^. 

For a non-T decision gadget {N,l,r, E^, E^, E'^''), the metric value of the gadget is defined 
as m{(N,l,r, E'-, E"^, E^'')) = {rank{N),{rank{N^) ,rank{N'^^))), where (•,•) is the Cantor pairing 
function |Tp^ Similarly, for a non-T decision gadget {N,l, E\ E'^), the metric value of the gadget 
is defined as m{{N, I, E\ E'^)) = {rank{N), {rank{N'-),rank{N'^))). 

Lemma 10.39. For any pair of distinct non-E gadgets Yi and Y 2 , m(yi) 7 ^ 771 ( 12 )- 

Proof. Follows from the properties of the Cantor pairing function. □ 

The first non-E decision gadget in TZ^ is the non-T decision gadget with the smallest metric 
value among all non-T decision gadgets in TZ^. Next, we show that such a decision gadget exists. 

Lemma 10.40. For any any non-E gadget Y in TZ^, there are only finitely many non-E gadgets 
Y' in TZ^ such that m{Y) > m(Y'). 

Proof. The lemma follows directly from the properties of the Cantor pairing function. □ 

Next, we show that TZ^ has a first non-T decision gadget. 

Theorem 10.41. TZ^ contains a non-E decision gadget Y such that the metric value of any other 
non-E decision gadget Y' is strictly greater than the metric value ofY. 

^^Recall that Cantor pairing function tt is a bijection from N x N to N and is defined by 7 r(ni, 712) = |(ni -|-n2)(ni -|- 
772 + 1 ) + 772 . 
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Proof. Let y be the set of all non-_L decision gadgets in TiP. Fix an arbitrary Y' G y. By 
Lemma 10.40, we know that there are only finitely many Y" G y such that m(Y") < m(Y'). Let 
y = {Y"\Y" G 3^ A m{Y") < m{Y')}. Since y' is a finite set, let Y = argminygy/ {m{Y)}. By 
construction, F is a non-_L decision gadget such that the metric value of any other non-_L decision 
gadget Y' is strictly greater than the metric value of y. □ 


Given an observation G that is viable for D, let first[TlP) denote the first non-_L decision 
gadget in . 

Recall that at most / locations are not live in G; £ Fd is a a trace that is compatible with D, 
and Gi, G 2 , G 3 ,... is a sequence of observations that converge to G. Next we show the ‘persistence’ 
of non-_L decision gadgets across the sequence of execution trees ,.... 

Lemma 10.42. For any G' G {G, Gi, G 2 ,...}, for any any non-1. gadget Y in TZP', there are only 
finitely many non-1. gadgets Y' in TZP such that m{Y) > m{Y'). 


Proof. The lemma follows directly from the properties of the Cantor pairing function. 
Let Ymin denote first{TZ^)-. this first non-T decision gadget in TZP. 


□ 


Lemma 10.43. There exists a positive integer x such that for all positive integers x' > x, Ymin is 
the first non-1. decision gadget in . 


Proof. Applying Lemma 10.30, we know that there exists a positive integer xy such that for all 
positive intege rs Xy > xy, Ymin is a non-T decision gadget in 7^ ‘“v. Fix xy. 


By Lemma 10.42, we know that there are only finitely many non-T gadgets Y' in such 


that m{Y') < m{Ymin)- Let y denote the set of all such gadgets Y'. By construction all the 
gadgets in y are not non-T decision gadget s (that is, they are either T decision gadgets, or not 


decision gadgets at all) in TZ^. By Lemma 


10.31 


we know that for each Y' € y there exists a 


positive integer xyi such that for all positive integers Xy/ > xy>, Y' is not a non-T decision gadget 
G / '' 

in TZ "’v'; fix an xy/ for each such Y'. Let x denote the largest such xy/; since T is a finite set, we 

know that x is exists. 

Thus, for all x' > x, Ymin is the first non-T decision gadget in TZ^^'. □ 


11 A Weakest AFD for Consensus 

In [2], Chandra et al. showed that 0 is a weakest failure detector for solving (n — l)-crash-tolerant 
consensus. We use similar arguments to show that AFD Dj (defined in Section [5.3[ ), which is a 
generalization of the D AFD, is a weakest strong-sampling AFD to solve /-crash-tolerant consensus 
in all well-formed environments. Although the assumption about strong-sampling AFDs seems to 
weaken our result with respect to the result in [ 2 ], in fact, a similar assumption was implicitly used 
in [ 2 ]. 

Recall that Hf, where 0 < f < n, denotes the AFD that behaves exactly like D in traces that 
have at most / faulty locations, and in traces that have more than / faulty locations, the outputs 
by D are unconstrained. In order to show that is weakest to solve /-crash-tolerant consensus, 
first we have to show that /-crash-tolerant consensus can be solved using Dj in any well-formed 
environment. Since Hf behaves exactly like D in executions where at most / locations crash, we 
see that the algorithm in [3] can be modified trivially to solve /-crash-tolerant consensus using 
in any well-formed environment. It remains to show that, for every strong-sampling AFD D, if D 
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is sufficient to solve /-crash-tolerant consensus in any well-formed environment, then D is stronger 
than Qf. 

For the remainder of this section, fix / to be a positive integer not exceeding n. 

we present an algorithm that solves fl/ using any arbitrary strong-sampling 


In Section 11.1 


AFD that solves /-crash-tolerant consensus, and in Section 11.2, we present the proof of correctness. 
Since we know that Qf is sufficient to solve /-crash-tolerant consensus, we thus establish that Qf 
is a weakest AFD to solve /-crash-tolerant consensus. 


11.1 Algorithm for Solving 12/ 

Let D be an AFD sufficient to solve /-crash-tolerant consensus, where 0 < / < n, in the well- 

By definition, there exists a distributed algorithm 


10.2 


formed environment Sc from Section 
that uses D to solve /-crash-tolerant consensus in Sc- Using A^, we construct an algorithm AP 
that uses D to solve 12/. 

In each process automaton keeps track of the outputs provided by AFD D and exchanges 
this information with all other process automata (at other locations). Each process uses this 
information to maintain an observation G (a local variable), and sends this observation to the 
other process automata. Initially, the observation G at each process automaton is empty, and the 
local variable k, which counts the number of AFD events that have occurred at that location, is 
0. Each process also maintains a local variable fdout which may be viewed as the automaton’s 
current estimate of the output of the AFD 12/ that it implements; initially, at each process i, the 
value of fdout is i. Next, we describe the actions of the process automaton at a location (say) i. 

When an AFD output d occurs at location i, the input action d occurs in Ap; in this action, the 
process automaton does the following. It increments fc by 1 (which updates the number of AFD 
events that have occurred at i) and inserts a new vertex {i,k,d) into its local variable G; the insert 
operation is defined in Section |8.3[ A copy of the updated observation G is appended to sendq for 
every other location to be sent out to all other locations. The process automaton constructs the 
directed tree for the current value of G (as described in Section]^. If TZP contains a non-_L 
gadget, then it determines the first non-_L decision gadget in TZ^ and updates fdout to the critical 
location of that decision gadget. Finally, the automaton adds {fdout, i) to sendq. 

If the front element of sendq is a pair consisting of an observation observe and location j, then 
the output action send{observe, j) is enabled. When this action occurs, the front element of sendq 
is deleted (and a message is send to j that contains the observation observe). 

When the process automaton at i receives a message from another location j with the obser¬ 
vation observe, the input event receive{observe, j) occurs, and the process automaton updates G 


with the union of G and observe] the union operation is defined in Section 8.3 


If the front element of sendq is a pair (j, i), where j is a location, the output action FDQ{j) is 
enabled. When this action occurs, the front element of sendq is deleted. 

Note that sendq contains both the observations that are sent to other locations and the value 
of the Qf AFD output events. This is because we model process automata as having a single task. 
Alternatively, we could have modeled process automata as having multiple tasks and used separate 
data structures to store the AFD outputs and the observations to be sent to other locations. 

The pseudocode for the algorithm is given in Algorithm]^ 


11.2 Correctness 

Fix an arbitrary fair execution a of the system consisting of A^, the channel automata, the crash 
automaton, and the well-formed environment Sc such that ol/uOo ^ '^D and at most / locations 
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Algorithm 3 Algorithm for solving O 


The automaton Af at each location i. 

Signature: 
input crashi 
input d: 0_D,i 

input receive{obs : Observation, j : fl \ {i})i 
output send{obs : Observation, j : 11 \ {i})i 
output FDnU ■ If) 


Variables: 

G: a finite observation, initially empty 
k: integer, initially 0 

Finite observation maintained at all locations 
Denotes the number of AFD outputs occurred so far 


sendq: queue of pairs {o,j), where o is either an observation or a location, and j is a location, initially empty. 


fdout'. If, initially i 

faulty: Boolean, initially false 

Location ID output by the Qf AFD output actions 
When true, the process automaton is crashed 

Actions: 

input crash 
effect 

faulty := true 


input d: d £ OD,i 
effect 

if not faulty, then 
k k A 1 

insert vertex {i,k,d) into G 
foreach j € 11 \ {i} 

append {G,j) to sendq 

The insert operation is defined in Section\8.S\ 


if Tip contains a non-_L decision gadget, then 

H := firstiTi'^) Recall that first{TZ^) is the first non-1. decision gadget in 'Rp 


fdcmt := critical location of H 
append {fdout, i) to sendq 


input receive{obs,j) 
effect 

if not faulty, then 

G :=GU obs 

The union operation is defined in Section\8.3\ 

output send{obs, j) 
precondition 

{-^faulty A {{obs,j) = head{sendq))) 
effect 

delete head of sendq 


output FDn{j) 
precondition 

{^faulty A {{j,i) = head{sendq))) 
effect 

delete head of sendq 
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crash in a. Let ck|/uOd ~ Recall that AFD behaves exactly like n if at most / locations 
crash. Thus, it remains to show that £ Tq. 

The remainder of this section uses the following notation. Recall that an execution is a sequence 
of alternating states and actions. In execution a, as[k] denotes the fc-th state in a, and as[k].Gi 
denotes the value of the observation Gi in state as[A:]. We assume that the initial state of a, denoted 
q;s[0], is the 0-th state in a . 

The proof is divided into three parts. In Section 11.2.1 


we prove some basic properties of the 

we 


graphs Gi, where i is a location, that are used in the remainder of the proof. In Section 11.2.2 
show that each a[k].Gi, where A; is a positive integer and i is a location, is a viable observation for 

of a[k].Gi, as k approaches 


D. In Section 


11.2.3 


we show that for all live locations i, the limits Gf^ 
oo, are identical and a viable observation for D; therefore, we denote all (for all locations i) as 
G°^. Finally, in Section 11.2.4, we identify the “first” non-T decision gadget Y in G°° and show 
that for each live location i, eventually, Y is also the first non-T decision gadget for Gi. Since each 
live process eventually detects the same decision gadget as the “first”, each live process eventually 
and permanently outputs the same live location as the output of 12/. This completes the proof. 


11.2.1 Properties of the graphs Gi at each location i 

Here we present some basic properties of the Gi graphj^ Lemma 11. l| states that the value of Gi 
in any state is a subgraph of its value in any later state. For a triple v = (i, k, e) that exists in some 
as[x'].Gji, let X be the smallest positive integer such that as[x].Gj contains the vertex v for some 
location j; then, vertex v said to “appear” in a at index x. Lemma 11.3 establishes that when a 


new vertex u = (i, k, e) “appears” in a at index x, v is inserted into Gi] that is, as[x].Gi contains 
establishes that when v = {i,k,e) first “appears” in a at index x (1) e precedes 


11.4 


V. Lemma 

the state as[x\ in a, (2) the value of ki is k — 1, (3) e is the k-th event in a, (4) Gi does not 
contain any other verte x of the form [i, k, *), and (5) Gi contains vertices of the form (i, k', *) for 
all k' < k. Lemma 


11.5 


establish that when a vertex v “appears” in a, all the incoming edges to v 
are fixed and do not change thereafter. Lemma 11.6 establishes that if v “appears” in a at index 


X, then for all x' > x, as[x\.Gi is a subgraph of as[x'].Gj. Finally, Lemma 11.7 establishes that if 
an edge (ui, V 2 ) occurs in any graph Gi, then the event of vi precedes the event of V 2 in a. 


Lemma 11.1. For each positive integer x and each location i, as[x\.Gi is a subgraph of as[x + l].Gi. 


Proof. Fix i and x as in the hypotheses of the Lemma. The proof follows from the observation that 
no vertex and no edge in as{x\.Gi is deleted in as[x + l].Gi, by any action. □ 

Corollary 11.2. For each positive integer x, each location i, for all positive integers x' > x, 
as{x\.Gi is a subgraph of as[x'].Gi. 

Lemma 11.3. For any vertex {i, k,e), let x be the smallest integer such that for some location j, 
as[x].Gj contains the vertex {i, k,e). Then (1) j = i and (2) event e immediately precedes as[a;] in 

a. 


Proof. Fix {i,k,e), x, and j as in the hypotheses of the lemma. Therefore, q;s[x — l].Gj does not 
contain the vertex [i, k, e) and as[x].Gj contains the vertex (i, k, e). Let a be the action that occurs 
between states as{x — 1] and as[x] in a. 


Although Gi for each location i is an observation, we have not yet shown this to be the case. Consequently, we 
refer to them merely as “graphs”. We prove that the GiS are observations in Theorem 


11.11 
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First, we prove part 1 of the lemma. From the pseudocode, we know that a is either an action 
in 0_D,j or an action of the form receive{*,*)j. In the former case, we see that j = i. We show 
that the latter case is impossible. 

For contradiction, assume that a is an action of the form receive{observe,j')j. From the 
pseudocode, we see that observe contains vertex (i, k, e). However, from the reliable FIFO behavior 
of the channel automata, we know the process automaton at j' must have sent the message observe 
containing vertex (i, k, e) before state ois{x — 1] in a. Let this occur in state as[x~], where x~ < x. 
Therefore, as[x~].Gji contains vertex {i,k,e), which contradicts our assumption that x is the 
smallest integer such that for some location j, as[x].Gj contains the vertex (z, k, e); this establishes 
part 1 of the lemma. 

Also, we see that a must be an action in Odj, and from the psendocode, we conclnde that 
a = e; this establishes part 2 of the lemma. □ 

Lemma 11.4. For any vertex {i,k,e), let x be the smallest integer such that as[x\.Gi contains the 
vertex (z, k, e). The following are true. 

1. as[x — l].ki = k — 1. 

2. e = a|oo,i[^] 

3. as[x — l].Gi does not contain any other vertex of the form (z, k, *). 

4- For each positive integer k' < k, as[x — l].Gi contains one vertex of the form (z, k', *). 

Proof. Fix i, V = (z, k, e) and x as in the hypotheses of the lemma. We prove the lemma by 
induction on k. 

Base Case. Let k = 1. When the first event e from OD,i occnrs in a, from the pseudocode, 
we see that the vertex (z, l,e) is added to Gi. Therefore, for vertex (z, l,e), let x be the smallest 
integer such that as[x\.Gi contains the vertex (z, l,e). From the pseudocode, we see that (1) 
as{x — l].ki = 0. Since e is the first event from OD,i, (2) e = alo^Jl]- Note that (3) as{x — l].Gi 
does not contain any vertex of the form (z, 1, *). Property 4 is satisfied vacuously. 

Inductive Hypothesis. For any vertex {i,k,e), let x be the smallest integer snch that as{x\.Gi 
contains the vertex (z, k, e). Then the following is true. 

1 . as[x — l].ki = k — 1 . 

2 . e = a\ooA^]- 


3. as[x — l].Gi does not contain any other vertex of the form (z, k, *). 

4. For each positive integer k' < k, ots[x — V\.Gi contains one vertex of the form (z, k', *). 


Inductive Step. Let x' be the smallest integer such that as[x'\.Gi contains the vertex (z, k + 1, e') 
for some e'. Applying Lemma 11.3 we know that for every other location j and all x" < x', 
as{x''].Gj does not contain the vertex (z. A: + 1, e') and the event preceding a.s[x'] is event e'. From 
the pseudocode, we see that e' G Od.Zj and since any action from OD,i increments ki by 1, we 
conclude that (1) as[x' — l].ki = k. Also, since ki is updated only when an action from 0^,1 
occurs, e = a|oo and when F occurs, vertex {i,k + l,e') is inserted to Gi, we conclude that 

(2) e'= a|oo,J^ +!]• 

From the inductive hypothesis we know that as[x — l].ki = k — 1. Since e G Od,i, and any 
action from 0^,1 increments ki, we know that as[x].ki = k. We have already established that 
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as\x' — V\.ki = k. Therefore, e' is the earliest event from Oo,i that follows e. That is, (3) e = 
«|OD,Jfc+l]- 

By the inductive hypothesis, we know that each positive integer k' < k, as[x — l].Gi contains 
one vertex of the form {i,k',*). We have established that e' is the earliest event from 0^,1 that 
follows e. Therefore, as[x' — l].Gi contains exactly one event of the form (i, fc, *), which is (i, k, e). 
Therefore, (4) for each positive integer k' < k as\x' — \].Gi contains one vertex of the form 
{i,k',*). □ 


Lemma 11.5. For any location j, any positive integer x, and any pair of vertices u and v = {i, k, e) 
such that as[x].Gj contains the edge {u,v), the following is true. Let x' he the smallest positive 
integer such that as[x'\.Gi contains the vertex v. Then as[x'\.Gi contains the edge {u,v). 


Proof. Fix j, X, u, V = {i, k, e), and x' as in the hypotheses of the lemma. Let x 
positive integer such that for some location j', a.dxminl-G' 

Lemma 11.3, we know that Xmin > x'. If x- 


min be the smallest 
Xminl-^j' contains the edge {u,v). Applying 
> x', then note that the edge {u,v) is added to Gji 
by an action of the form receive{observe, j”)ji, where observe contains the edge {u,v). However, 


'^min 


this implies that for some x, 


prev 


< Xr. 


the definition of Xmin- Therefore, Xr^ 
a.s{x'].Gi contains the edge (u,v). 


O-syX' 

= x' 


'prev\-Gjii contains the edge [u, v), and this contradicts 
Applying Lemma 11.3, we know that j' = i. Therefore, 

□ 


Lemma 11.6. For any vertex {i,k,e), let x be the smallest integer such that for some location 
j, as[x\.Gj contains the vertex {i,k,e). For any location j' and any positive integer x' such that 
as[x'].Gji contains the vertex {i,k,e), as[x\.Gj is a subgraph of as[x'].Gj/. 


Proof. Fix {i,k,e), x, and j as in the hypotheses of the lemma. Applying Lemma 11.3 we know 
that j = i. 

For contradiction, assume there exists a location / and a positive integer x' such that as[x'].Gji 
contains the vertex {i,k,e), but as[x].Gj is not a subgraph of as[x'].Gji. Fix the smallest such x' 
and the corresponding location j' such that as{x'].Gji contains the vertex (i, k, e). 

From the definition of x we know that x' >x. Applying Corollary 11.2, we know that as\x\.Gi 
is a subgraph of as[x'].Gi, and therefore / / L 

Since x' is the smallest integer such that as[x'].Gji contains the vertex {i,k,e) and j' / i, we 
conclude that the action preceding as[x'].Gj' in a is an action of the form receive{observe, , 
where observe contains the vertex {i,k,e) and as[x\.Gi is not a subgraph of observe. Fix the 
location j”. Therefore, there exists a positive integer x" < x' such that as[x"].Gjii contains the 
vertex (i,k,e) and as[x\.Gi is not a subgraph of as[x"].Gjii. This contradicts the definition of 
x'. □ 


Lemma 11.7. For any edge {vi,V 2 ) in as{x\.Gi, the event ei occurs before event 62 in a, where 
vi = (fi, fci, ei) and V 2 = {h, A: 2 , 62 )- 


Proof. Fix vi = (zi, /ci, ei) and V 2 = { 12 , k 2 , 62 ), as in the hypotheses of the lemma. 

Applying Lemma 11.3, we know that there exists a positive integer xi such that (1) as[xi].Gij 
contains vertex vi, (2) for each positive integer x[ < xi, as{x'f\.Gi.^ does not contain xi, and (3) for 
each positive integer x'^ < xi and every other location j, as[x'f\.Gj does not contain the vertex xi. 

Similarly, applying Lemma 11.3 we know that there exists a positive integer X 2 such that (1) 
as[x 2 ].Gj 2 contains vertex X 2 , ( 2 ) for each positive integer x '2 < X 2 , as[x 2 ].Gi 2 does not contain the 
vertex X 2 , and (3) for each positive integer X 2 < X 2 and every other location j, as[x' 2 \.Gj does not 
contain the vertex X 2 . From Lemma 11.5 we know that as[x 2 ].Gi 2 also contains the edge (xi,X 2 ). 
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Therefore, as[xi].Gi^ contains vertex vi and does not contain V 2 -, whereas as[x 2 ]-Gi^ contains 
vertices r;i and V 2 - Applying Lemma 11.6, we know that as[xi\.Gi^ is a subgraph of as[x 2 ]-Gi^. 


From the definition of xi and X 2 , we know that xi < X 2 - Note that vi is added to as[xi].Gi-^ when 
event ei occurs in a after state as{xi — 1 ], and similarly, V 2 is added to as[x 2 ]-Gi^ when event 62 
occurs in a after state as[x 2 — 1]. Therefore, ei occurs before 62 in a. □ 


11.2.2 For each location f, Gi is an observation 


In this subsection, we prove in Theorem 11.11 that for each location i and each positive integer x, 
as\x\.Gi is an observation for D. We use two three lemmas to prove the main result. In Lemma 


11 . 8 , we prove that for any location i, if the graph Gi is an observation and an event from Od.i 
occurs, then in the resulting state, Gi is an observation. In Lemma [11.9 we show that for any two 
graphs as{x\.Gj and as[x'].Gji, and for every vertex v = {i,k,e) from as[x].Gj, either as{x'].Gji 
also contains v, or as[x'].Gj> does not contain any vertex of the form (i, k, *). In Lemma 


II.10 


we 


show that for any two graphs as[x].Gj and as[x'].Gj', for any vertex v that is in both as[x].Gj and 
as[x'].Gji, V has the same set of incoming edges in both as[x].Gj and as[x'].Gji. 

Lemma 11.8. For any location i and a positive integer x, if as{x\.Gi is an observation and the 
event e between as[a:] and as[x + 1] in a is an event from Od,! then as[x + l].Gi is an observation. 

Proof. Fix i, x, and e from the hypothesis of the lemma. From the pseudocode, we know that when 
e occurs, a vertex v of the form {i, e, k) is a dded to Gi, and for each vertex u in as{x\.Gi, the edge 


{u,v) is added to Gi as well. From Lemma 11.4, we know that as[x\.ki = k — 1 and as{x\.Gi does 


not contain any vertex of the form (z, *, k). Therefore, as[x + l].Gi = insert{as[x].Gi, n); invoking 
Lemma 8.8 we conclude that as[x + V\.Gi is an observation. □ 


Lemma 11.9. For any pair of positive integers x and x', and any pair of locations j and j', if 

as[x].Gj contains a vertex v = {i,k,e), then it is not the case that as[x'].Gj> contains a vertex 

v' = (z, k, e') where e ^ e'. 

Proof. Fix a pair of positive integers x and x', and a pair of locations j and j', such that as[x\.Gj 

contains a vertex v = (z, k, e), as[x'].Gj' contains a vertex F = (z, k, e'). We complete the proof by 

showing that e = e'. 

Let xi be the smallest positive integer such that for some location zi, as[xi\.Gi.^ contains the 
vertex v, and let X 2 be the smallest positive integer such that for some location Z 2 , as{x 2 \.G, 


contains the vertex v'. Invoking Lemma j II.3 we know that zi = Z 2 = z. Invoking Lemma 11.4 
know that e = a|o_D J^] and e' = a\oj^ Jfe]; that is, e = e'. 


*2 

we 

□ 


Lemma 11.10. For any pair of positive integers x and x', and any pair of locations j and j', for 
every vertex v in as[x\.Gj and as[x'].Gj:, If an edge {u,v) is in as[x\.Gj, then the edge {u,v) exists 
in as[x'\.Gji. 

Proof. Fix a pair of positive integers x and x' , and a pair of locations j and f. If the set of vertices 
of as[x].Gj and as[x'].Gj> are disjoint, then the lemma is satisfied vacuously. For the remainder of 
the proof, assume that there exists at least one vertex in both as[x\.Gj and as[x'].Gji. Fix such a 
vertex v = {i,k,e). Fix u to be any vertex in as[x].Gj such that {u,v) is an edge in as[x].Gj. We 
show that the edge {u,v) exists in as{x'].Gji. 

Let X be the smallest positive integer such that as[x].Gi contains the vertex v. Invoking Lemma 


11.5, we know that as[x\.Gi contains the edge (zz, v). Invoking Lemma 11.6, we know that as\x\.Gi 
is a subgraph of as[x'\.Gji, and therefore, as[x'\.Gji contains the edge {u,v). □ 
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Theorem 11.11. For each location i, for each positive integer x, as\x\.Gi is an observation. 


Proof. We prove the theorem by strong induction on x. 

Inductive Hypothesis. For each location i, and each positive integer x' < x, as[x'].Gi is an 
observation. 

Inductive Step. Fix a location i. We know that for x = 0, as[x\.Gi is the empty graph, and 
is therefore an observation. The remainder of the proof assumes x > 1. We know from Lemma 
11.1 that as[x — l].Gi is a subgraph of as[x\.Gi. Therefore, either as\x — l].Gi = as[x\.Gi, or 
as[x — l].Gi 7 ^ as[x\.Gi. In the former case, we apply the inductive hypothesis to conclude that 
as\x\.Gi is an observation. In the latter case, the following argument holds. 

From the pseudocode, we know that the event e between (Xs{x — 1] and as{x\ in a is either (1) 
an event from 0^,1 or (2) an event of the form receive{ohserve, j)i for some j i. 

Case 1. Let e be an event from Od,i- Recall that by the inductive hypothesis, as[x — l].Gi is 
an observation. Invoking Lemma 11.8, we conclude that as\x\.Gi is an observation. 

Case 2. Let e be an event of the form receive{observe, j)i for some j i. From the FIFO 
property of the channels, we know that an event send{observe, i)j occurred in a before event e. From 
the pseudocode, we know that for some x' < x, observe = as[x'].Gj. By the inductive hypothesis, we 
conclude that observe and as{x — l].Gi are observations. Also, from the pseudocode, we know that 
when even e occurs, Gi is updated to Gi U observe. Therefore, as[x].Gi = as[x — l].Gi U observe. 
By Lemma 11.9, we know that for each vertex v = {i',k',e') in observe, it is not the case that 
as\x — l].Gj contains a vertex v' = {i',k',e") where e" e', and invoking Lemma 11.10, we know 
that for every vertex v in both observe and as[x — l].Gi, v has the same set of incoming edges in 
both observe and as[x — l].Gi. Therefore, we can invoke Lemma 8.7 to conclude that as[x\.Gi is 
an observation. This completes the induction. □ 


11.2.3 The limit of the Gfs is a viable observation 

For each location i, we define G“ to be the limit of as[k].Gi as k tends to oo. In this subsection, 
we show that for each pair of live locations i and j, G“ = G“, and this limiting observation is 
viable for D. 

Recall that the limit G“ = is defined as follows. Let as[k].Gi = for each 

natural number k. Then, V°° = UfceN = UfceN 


Lemma 11.12. For each location i, for every pair of integers x,x', where x' > x, as[x\.Gi is a 
prefix of as[F].Gi. 


Proof. Fix i, x, and x', as in the hypotheses of the lemma. Applying Theorem 11.11, we know that 
as{x\.Gi and as[x'].Gi are observations. From Corollary 11.2 we know that as[x\.Gi is a subgraph of 


as\x'].Gi. Applying Lemma 11.5 we conclude that for each vertex in as\x\.Gi, the set of incoming 
edges of v is the same in as{x\.Gi and as[x'].Gi. Therefore, as{x\.Gi is a prefix of as[x'].Gi. □ 

Corollary 11.13. For each location i and each positive integer x, as{x\.Gi is a prefix of Gf^. 

Next, Lemma 11.15 shows that for any pair i,j of live locations Gf^ = G“. We use Lemma 
11.14, which shows at any given point in the execution, the value of Gi is a prefix of the value of 
Gj at some later point in the execution, as a helper. 

Lemma 11.14. For each positive integer k, every pair of locations i and j that are live into, there 
exists a positive integer k' > k such that as[k].Gi is a prefix of as[k'].Gj. 
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Proof. Fix k, i, and j as in the hypotheses of the lemma. Since i is live, there exist a positive 
integers ki > k and k2 > k such that as[k2].sendqi contains {as[ki].Gi, j), and therefore, eventually 
the event send{as[ki].Gi, j)i occurs which sends as{ki\.Gi to j. By Lemma 11.12 we know that 
as\k\.Gi is a prefix of as[ki\.Gi. From the properties of the channel automata we know that 
eventually event receive{as[ki].Gi,i)j occurs in state (say) Oslk^], where k^ > k2, and from the 

. r, 1 ^ . r, ,1 ^ T , . rrn. , , , , 


11.11 


pseudocode, we know that aslk^ + l].Gj is aslk^j-Gj U as[k — Ij.Gj. Invoking Theorem 
know that as[k 3 + l].Gj is an observation. Since we have already established that as[k].Gi is a prefix 
of as[ki].Gi, we conclude that as[k].Gi is a prefix of + IJ-Gj. Thus the lemma is satisfied for 
k' = k^ + 1. □ 


TOO 


Lemma 11.15. For every pair of locations i and j that are live in to, Gf° = G 
Proof. Fix i and j as in the hypotheses of the lemma. Fix z to be either an edge or a vertex in G] 


By definition, there exists a positive integer k such that as[k].Gi contains z. By Lemma 11.14 


OO 

i * 

we 


11.2 


know that there exists a positive integer k' such that as[k'\.Gj contains 2 ;; applying Corollary 
we conclude that for all k" > k', as[k"].Gj contains z. In other words, contains z. Therefore, 
GT is a subgraph of G 


TOO 

Reversing the roles of i and j, we see that is a subgraph of Gk. Therefore, Gf° = G 


OO 

j ■ 


□ 


Lemma 11.15 allows us to define G°° to be the graph for any location i that is live in t/j. 


Lemma 11.16. For every location i such that G°° contains an infinite number of vertices whose 
location is i, for each vertex v in G°°, there exists a vertex v' in G°° whose location is i and the 
edge {v,v') is in G°°. 

Proof. Fix i and v as in the hypotheses of the lemma. Since contains an infinite number of 
vertices whose location is i, we know that i is live in a, and therefore, an infinite number of events 
from OD,i occur in a. 

Since v is in G°°, we know that there exists a positive integer Xi such that u is a vertex as[xi\.Gi. 
Fix e to be the first event from Od,* following as[xi\ in a. Let the state preceding e in a be q;s[x]. 
From the pseudocode, we know that when e occurs, a vertex of the form (i, *, e) is inserted in Gj. 
Let this vertex be v'. From the insertion operation, we know that an edge {v,v') is added to Gi. 
Therefore, as[x + l\.Gi contains the edge {v,v'). From Corollary 11.13, we know that as{x + l].Gi 
is a prefix of G°°. Therefore, there exists a vertex v' in G°° whose location is i and the edge (v, v') 
is in G“. □ 


Finally, in Theorem 11.17, we establish that G°° is an observation, and in Theorem 11.18 
establish that it is a viable observation. 


we 


Theorem 11.17. G°° is an observation. 


Proof. For any live location j, we know from Lemma 


11.12 


that as[0].Gj, as[l].Gj, as[2].Gi,... is 


an infinite sequence of finite observations, where as[x].Gj is a prefix of as[x + V\.Gj for each natural 
number x. By definition, we know that G'F is the limit of the infinite sequence asfS\.Gj,as\F\.Gj, as\F\.Gi 
and we know that = GT. 


By Lemma 11.16, we know that for every vertex v and any location i G live{G°°), there 


exists a vertex v' with location i and G°° contains an edge from v to v'. Therefore, invoking Lemma 
8.10, we conclude that G°° is an observation. □ 
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Next we establish that is a viable observation. Intuitively, the proof is as follows. Recall 
that — ^d- For any live location i, G°° contains all the AFD output events from to that 

occur at i and in the same order in which they occur at i. For any non-live location i, G°° contains 
some prehx of all the AFD output events from t d that occur at i and in the same order in which they 
occur at i. Also, there is an edge from a vertex vi = {ii,ki,ei) to another vertex V 2 = (* 2 , ^ 2 , 62 ) 
in G°° only if ei occurs before 62 in to- Therefore, there must exist some sampling oi such 
that I Oo is a topological sort of G°° . Invoking closure under sampling, we conclude that t'j^ must 
be in To, and therefore is viable. The formal theorem statement and proof follows. 


Theorem 11.18. is a viable observation for D. 


Proof. Recall that & Td- We complete the proof by showing that there exists a trace 


€ Td that is compatible with G°°; specihcally, we show that there exists a topological sort u of 


t'L - 

the vertices of and a sampling t'^ of tjo such that = eloo where e is the event-sequence 

of V. 

Let d be the set of all topological sorts of the vertices of , and let e be the set of all event- 
sequences such that each T = {e'|e' is the event-sequence of some G T}. From the pseudocode, we 
see that ?is the set of all e' such that ( 1 ) for each location j, e'\oo j is a prehx of a|ooj = tnloo 


and ( 2 ) for each location j that is live in to, ^'\on 


= a 


Od,! ^d\ob- 


For any edge (^ 1 ,^ 2 ) in G°° we know that there exists a location i and a positive integer x such 


that as[x].Gi contains the edge (^ 1 ,^ 2 ); applying Lemma 11.7, the event of vi occurs before the 
event of V 2 . Therefore, in for every edge {vi,V 2 ), the event of vi occurs before the event of V 2 . 
Therefore, (3) for every pair of vertices vi,V 2 of it is not the case that the event of vi occurs 
before the event of V 2 in the event sequence e' of every topological sort v' of the vertices of G°°, 
and the event of vi does not occur before the event of U 2 in 

From (1), (2), and (3), we conclude that there must exist an event-sequence e G ?, such that (1) 
for each location j, e|ooj is a prehx of aooj = IdIod ( 2 ) each location j that is live in tjo, 
e\oB = OiOo = ^dIoo ) (3) for every pair of events 61,62 in e, if 61 occurs before 62 in tjo, 

then 61 occurs before 62 in e. Therefore, there exists a sampling of tn such that — ^\od- 

By closure under sampling we know that G Tp. Thus, by dehnition, G°^ is viable for D. □ 

We have seen so far that in any fair execution a of the system, at each live location i, Gi evolves 
as an ever growing observation such that the limit G°° of Gi in a is a viable observation for D. 


11.2.4 Identifying the smallest decision gadget 

Next, we show that 77^°° has at least one non-T decision gadget. Let Y be the hrst non-T decision 
gadget in 77^°°. We show that at each live location i, eventually, 77^® will contain the decision 
gadget Y, and importantly, eventually forever, Y remains the hrst non-T decision gadget of 77^L 


By Theorem 10.28, we know that the critical location of T is a live location. However, since for all 
the live processes i, the hrst non-T decision gadget of 77*^® converges to Y, we know that all the 
live locations converge to the same live location, which is output of the AP'. Thus, solves D/ 
using AFD D. 


Corollary 11.19. 77^^^ contains at least one decision gadget. 


Proof. Follows from Theorems 10.28 and 11.18 


□ 


Applying the above Corollary, we know that TZ^°° contains a decision gadget. Applying Theorem 
10.41, let Yjnin be first{Tl^°°) (the hrst non-T decision gadget in 
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Lemma 11.20. For each location i that is live in to, there exists a positive integer x such that for 
all positive integers x’ > x, Ymin is the first non-F decision gadget in as[x'\.TZf. 


Proof. Fix a location i that is live in to- Invoking Theorem 11.11 we know that for each positive 
integer x, as[x\.Gi is an observation. Since = \ir^-^ooOis[x\.Gi is a viable observation for D 
and tD is compatible with we invoke Lemma 11.12 to conclude that Q;s[l].7^p, as[2].7^p,... is 


an infinite sequence of finite observations that converge to G° 


Thus, the conclusion follows immediately from the application of Lemma 10.43 


□ 


Theorem 11.21. The algorithm ^4^ solves 0/ using AFD D, where f < n. 


Proof. Fix a fair execution a of the system consisting of the channel automata, and the crash 
automaton such that and at most / locations crash in a. Denote q| o„i if a s tjj. For 

each location i that is live intD, let denote lima;^oo Ois[x\.Gi. Applying Lemma 11.15, we know 


, — . By Theorem 11.18, we know that G°° 

11.19, we know that contains at least one decision 
be the first non-T decision gadget in 


that for each location j that is live in txj, = Gfi = G 

is a viable observation for D. By Corollary 
gadget. Applying Theorem 10.41 let Ymin be the first non-T decision gadget in . Applying 
Lemma 11.20, we know that for each location i that is live vo-to, eventually and permanently, Ymin 
is the first non-T decision gadget of TZf. Thus, for each location i that is live in to-, eventually 
and permanently, when an event from OD,i occurs in a, (fdoutfi) is appended to sendqi, where 
fdout is the critical location of Ymin- Therefore, for each location i that is live in t^, some suffix of 
Oi\FDQi is the infinite sequence over FDQ{fdout)i. Applying Theorem 
is live in G°°, and therefore, fdout is live in a. In other words, ^ 


we know that fdout 
□ 


12 Conclusion 

We have shown that for any strong sampling AFD sufficient to solve consensus, the executions 
of the system that solves consensus using this AFD must satisfy the following property. For any 
fair execution, the events responsible for the transition from a bivalent execution to a univalent 
execution must occur at location that does not crash. Using the above result, we have shown that 
D is a weakest strong-sampling AFD to solve consensus. The proof is along the lines similar to 
the original proof from [2]. However, our proof is much more rigorous and does not make any 
implicit assumptions or assertions. Furthermore, the notion of observations and tree of executions 
introduced in Sections and and their properties may be of independent interest themselves. 
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